Hi Oscar, My answers:
1-Whenever I can I install on servers+ desktops. However, I generally go with a less noise set of rules in the desktop (specially for FIM). 2-Single manager when possible to make it easier to manage. 3-Yes 4-I do. On my laptops I always configure OSSEC with two ip addresses for the manager: <server-ip>10.1.1.1</server-ip> <server-ip>external-ip</server-ip> So that it will work when inside or outside the network. Also, I generally set the IP of the client itself as "any". hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Thu, Feb 11, 2010 at 8:40 AM, oscar schneider <[email protected]> wrote: > Hey OSSEC list, > > I would like to ask you a few questions about how OSSEC is deployed at > your company. Of course the answers to these contain sensitive data, > so I would already be very happy about vague answers if necessary. > > So here we go: > > 1) Do you deploy OSSEC only on servers or also on desktop machines? > > 2) Do you use a singe OSSEC server or several independent OSSEC > servers or do you have a multi-server architecture as described here: > http://www.ossec.net/dcid/?p=144 > > 3) Do you make use of agentless monitoring? > > 4) If you deploy an OSSEC agent on a notebook that is often used for > use outside the company network, do you let them access the OSSEC > server when they are on the road or only when they are inside the > network? Do you have a dedicated OSSEC server for connections from the > internet? Do you only allow agents from external IPs to connect after > setting up a VPN connection? > > 5) Do you use OSSEC not only for intrusion detection but also for > general monitoring tasks (e.g. if some log messages trigger false > positives in regards to intrusion detection, but show that there is > need for some maintenance, do you forward these alerts to the > responsible admin)? > > Kind regards, > > Oscar >
