You are exactly right Kacper, We've spent quite a bit of time in setup ignoring a great deal of email alerts. Many of the alerts are common false positives, which decreases the volume of alerts. Many of the other alerts are custom to our environment, looking for specific events on our servers, mostly our domain controllers, and we use a great deal of granular alerting.
Thx, Tyler On Wed, Sep 22, 2010 at 4:06 PM, Kacper Wysocki <[email protected]> wrote: > On Wed, Sep 22, 2010 at 9:53 PM, Tyler Ross <[email protected]> wrote: > > Hey everyone, > > > > I am running around 225 clients on my single ossec manager, and will be > > installing a great deal more soon. The total may be somewhere around > > 400-450 clients. The OSSEC wiki addresses this issue by increasing the > > setmaxagents variable to a greater number. I guess my question is, in an > > enterprise deployment of OSSEC (which we have become quite dependent on), > > does an OSSEC manager work effectively with 400-500 clients? Will we miss > > alerts, or begin having trouble with agent communication in your > experience. > > > > I would like to use a tiered approach to scaling OSSEC in an enterprise, > but > > I don't like the idea of using unencrypted syslog to accomplish this. > Does > > anyone have any thoughts or suggestions? As always thanks, and you all > have > > been a great help in the past. > > > > Hi Tyler, > it seems that others on the list are managing at least that amount of > agents, and there is an ongoing thread where Christopher Moraes today > reported 6000 events per second (log monitor only) no problem. > > I'm curious though, what are people doing with the alerts? Email > alerts do not seem to be a feasible approach even for a couple clients > unless a lot of time is spent setting up ignore rules. > > Cheers, > -Kacper >
