I have a network segment behind a NAT firewall with servers I want to monitor with OSSEC. Currently, the only way to do this is to setup another OSSEC server for that network segment. Doing so means that I could not benefit from the centralized logging and event correlation etc. since there would be 2 servers.
One solution for this would be if OSSEC had the ability to forward events from one OSSEC server to another "master" server. Essentially the OSSEC server in the NATed segment would collect alerts for that segment, then forward them to the "master" server where they can be analysed and correlated with other alerts from other segments. Active response messages could be similarly "proxied" to clients on NATed segments through the OSSEC server on that segment. This would be a very cool feature for OSSEC to have. --------------------------------- Everyone is raving about the all-new Yahoo! Mail beta.
