On Thu, 15 Apr 2010 14:42:05 -0400, James Keegan <[email protected]> wrote: > According to the Slides (slide #3) on the OSSEC site, OSSEC is NOT a log > management tool, it only stores alerts, not every single log, they > recommend that you still have a log management and long term storage > solution of all logs outside of the OSSEC tool. > > http://www.ossec.net/ossec-docs/auscert-2007-dcid.pdf
Hello Jim, OSSEC can store every log with the log-all option, but it is not a log manager. It is intended for log analysis and that's what it does well (very well). If I may be so bold, I think my presentation from last October makes the distinction pretty well and also explains some other things to keep in mind about log management. It was based in part on Daniel's auscert presentation and can be found here: http://www.ossec.net/ossec-docs/ossec_in_the_enterprise-2009-mstarks.pdf. I also post lots of OSSEC and other log stuff at the blog in my sig. -- Michael Starks [I] Immutable Security http://www.immutablesecurity.com Information Security, Privacy and Personal Liberty -- To unsubscribe, reply using "remove me" as the subject.
