I am fairly new to using OSSEC, we are setting it up in an enterprise environment and so far are very impressed with the product. We are figuring out how to filter out what we want and alert on what we want. The big question I have now is that the search feature seems to be very slow and sometimes does not work at all. I can put in an IP that I know is there but OSSEC does not find it. Maybe I need to configure something differently. We have looked at several Log Management systems and really like OSSEC, when we looked a SPLUNK their search feature was almost instant and was really helpful. Does the OSSEC search feature work anything like the SPLUNK one? if not any tips on how to speed it up a bit?
Thanks Mike Chesmore [email protected]
