Consider listing two OSSEC servers in agent's ossec.conf.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Altfield Sent: Tuesday, July 28, 2009 12:08 PM To: ossec-list Subject: [ossec-list] Agent alert queues to prevent data loss Hello all, I've been playing with OSSEC for several weeks now, and I absolutely love this product. IMHO, it's by far the best FOSS HIDS on the market with a wonderful user and developer community. I'd like to utilize OSSEC in our corporate production environment, but the biggest problem I've found with it is that the agents don't appear to queue their alerts in memory. The issue being: if the OSSEC server is down or there is a temporary network issue, the alerts produced by the agent will be lost. This functionality would be unacceptable to most compliance standards (namely the PCI DSS). Is there any way to ensure that all alerts sent from OSSEC hosts to the OSSEC server are successfully received by the OSSEC server--and to hold onto those alerts that were not received successfully for re- sending? Thank you, Michael Altfield
