Just complementing Meir's response...
If you have the agent installed, 10M would be more than enough (maybe 20M to keep some space for the ossec.log). For the server/local, Meir's calculation is right, but he forgot that ossec by default gzips all the logs after each day (reducing the log size by +-90%)... It will all depends on the amount of alerts you have each day (you can also remove old files easily, since the alerts are organized by date). Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 11/6/06, Meir Michanie <[EMAIL PROTECTED]> wrote:
if it could be possible to set ossec to work on a ring file, then a few megs should be enough. With the current functionality you need to calculate the number of events per day that you will parse and log. each event is 5 lines of text. my calculation is that every alert takes 300 bytes average, (log of 2MG / 7000 alerts) On 11/3/06, Monteiro, Teresa <[EMAIL PROTECTED]> wrote: > > > Thanks a lot you for your quick feedback, Daniel and Meir. > > What would be the minimum amount of hard disk space you would advise ? > > Cheers, > Teresa > > > ________________________________ From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Meir Michanie > Sent: Thursday, November 02, 2006 10:32 AM > To: [email protected] > Subject: [ossec-list] Re: OSSEC on embedded system ? > > > > the only problem is hdd space. > > > On 11/1/06, Daniel Cid <[EMAIL PROTECTED]> wrote: > > > > Hi Teresa, > > > > Ossec should work well on low-memory and low-cpu systems. I actually > > have it running as a server (monitoring 4 agents) in a PII with only 64M of > > memory without any problems. Anything higher than that will work fine... > > > > > > hope it helps. > > > > -- > > Daniel B. Cid > > dcid ( at ) ossec.net > > > > On 10/31/06, Monteiro, Teresa <[EMAIL PROTECTED] > wrote: > > > > > > > > > > > > Hi. > > > I am trying to find out whether I can install and run OSSEC on an embedded > > > system. It is a PowerPC 400MHz, running Linux - also, what kind of memory > > > requirements are there ? > > > > > > Thanks a lot! > > > Cheers, > > > Teresa > > > > > > > > > >
