On Wed, Sep 22, 2010 at 9:53 PM, Tyler Ross <[email protected]> wrote: > Hey everyone, > > I am running around 225 clients on my single ossec manager, and will be > installing a great deal more soon. The total may be somewhere around > 400-450 clients. The OSSEC wiki addresses this issue by increasing the > setmaxagents variable to a greater number. I guess my question is, in an > enterprise deployment of OSSEC (which we have become quite dependent on), > does an OSSEC manager work effectively with 400-500 clients? Will we miss > alerts, or begin having trouble with agent communication in your experience. > > I would like to use a tiered approach to scaling OSSEC in an enterprise, but > I don't like the idea of using unencrypted syslog to accomplish this. Does > anyone have any thoughts or suggestions? As always thanks, and you all have > been a great help in the past. >
Hi Tyler, it seems that others on the list are managing at least that amount of agents, and there is an ongoing thread where Christopher Moraes today reported 6000 events per second (log monitor only) no problem. I'm curious though, what are people doing with the alerts? Email alerts do not seem to be a feasible approach even for a couple clients unless a lot of time is spent setting up ignore rules. Cheers, -Kacper
