Hi Tyler, I have a similar production environment. We have approx 3000 servers to be monitored.
The approach I am considering is to have all logs sent to a centralized server using 'syslog-ng' and have OSSEC run on the centralized syslog-ng files. Syslog-ng encrypts communication and sends messages via TCP. We already have licenses for it, so license cost is not an issue for me. I believe that OSSEC and syslog use UDP for transporting log messages and from what I've read, there are reports of syslog losing messages under heavy load. On Wed, Sep 22, 2010 at 3:53 PM, Tyler Ross <[email protected]> wrote: > Hey everyone, > > I am running around 225 clients on my single ossec manager, and will be > installing a great deal more soon. The total may be somewhere around > 400-450 clients. The OSSEC wiki addresses this issue by increasing the > setmaxagents variable to a greater number. I guess my question is, in an > enterprise deployment of OSSEC (which we have become quite dependent on), > does an OSSEC manager work effectively with 400-500 clients? Will we miss > alerts, or begin having trouble with agent communication in your experience. > > I would like to use a tiered approach to scaling OSSEC in an enterprise, > but I don't like the idea of using unencrypted syslog to accomplish this. > Does anyone have any thoughts or suggestions? As always thanks, and you all > have been a great help in the past. > > > > Tyler Ross >
