I haven't tested this, so it may not work. If you try it, report back. ;) You could use ossec-csyslogd to forward messages to a "local" syslog server that does not save the logs to disk but just forwards them. Using syslog-ng or rsyslog you could setup tcp syslog as well as encryption, and this would be much more of a guarantee of delivery along with security.
On Wed, Sep 22, 2010 at 3:53 PM, Tyler Ross <[email protected]> wrote: > Hey everyone, > > I am running around 225 clients on my single ossec manager, and will be > installing a great deal more soon. The total may be somewhere around > 400-450 clients. The OSSEC wiki addresses this issue by increasing the > setmaxagents variable to a greater number. I guess my question is, in an > enterprise deployment of OSSEC (which we have become quite dependent on), > does an OSSEC manager work effectively with 400-500 clients? Will we miss > alerts, or begin having trouble with agent communication in your experience. > > I would like to use a tiered approach to scaling OSSEC in an enterprise, but > I don't like the idea of using unencrypted syslog to accomplish this. Does > anyone have any thoughts or suggestions? As always thanks, and you all have > been a great help in the past. > > > > Tyler Ross >
