Hello, Our environment currently consists of a large number of hosts, running syslog-ng, that forward events to a loghost running syslog. We have installed OSSEC in local mode on the loghost as a pilot. Of course, this means that we have no ability to use features like active reponse or integrity checking.
We would like to keep running syslog-ng on our hosts but stop using it to forward events to the loghost. Instead, we would like to run the OSSEC agent on each host for that purpose. We would replace syslog on the loghost with OSSEC in server mode. Further we would like to enable remote syslog on the log host so that we can receive events from agentless devices. The problem with this design approach is that while we end up with a centralized store of alerts on the loghost, we lose all the original events. Particularly for events that did not generate alerts. It would be useful to have the events in a central location for data mining purposes. We could set up syslog-ng on each host to forward their events as well as set up the OSSEC agent on each host as well. On the loghost we would need to run both syslog and OSSEC in server mode without remote syslog. Aside from the duplicity of this approach one problem with this approach is that we couldn't create alerts from agentless devices because their events would be sent to syslog rather than OSSEC. Of course, I guess we could configure syslog to store events from an agentless device into a special file monitored by OSSEC. Is there a way to configure OSSEC in server mode to retain the original events so that we can deploy OSSEC as described in the second paragraph? Thanks, Trevor McLeod
