Black CryptoKnight wrote: > I have a network segment behind a NAT firewall with servers I want to > monitor with OSSEC. Currently, the only way to do this is to setup > another OSSEC server for that network segment. Doing so means that I > could not benefit from the centralized logging and event correlation > etc. since there would be 2 servers. > > One solution for this would be if OSSEC had the ability to forward > events from one OSSEC server to another "master" server. Essentially the > OSSEC server in the NATed segment would collect alerts for that segment, > then forward them to the "master" server where they can be analysed and > correlated with other alerts from other segments. > > Active response messages could be similarly "proxied" to clients on > NATed segments through the OSSEC server on that segment.
I agree. I have been thinking along the same lines. I have pondered using something like sshfs or a reverse zebedee tunnel (which I am not sure will work, considering the connected UDP way of communicating.) Another way for OSSEC to implement this would be server-initiated connections.
