Hey everyone, I am running around 225 clients on my single ossec manager, and will be installing a great deal more soon. The total may be somewhere around 400-450 clients. The OSSEC wiki addresses this issue by increasing the setmaxagents variable to a greater number. I guess my question is, in an enterprise deployment of OSSEC (which we have become quite dependent on), does an OSSEC manager work effectively with 400-500 clients? Will we miss alerts, or begin having trouble with agent communication in your experience.
I would like to use a tiered approach to scaling OSSEC in an enterprise, but I don't like the idea of using unencrypted syslog to accomplish this. Does anyone have any thoughts or suggestions? As always thanks, and you all have been a great help in the past. Tyler Ross
