For me, the most defying discredit to OSSEC is the loss off alerts, in the High-availability Solution.
I am trying to defend OSSEC in face of management, but it is really hard when OSSEC comes with a default blackout of 30 minutes. Following the description for a multi-server architecture, the OSSECServers can take the charge of another failed server OSSECserver, but the problem is that the client does not "see" that the server is down before the end of a certain hardcoded window (3 times NOTIFY_TIME = 30 minutes). And since OSSEC is using UDP it will continue to send over loglines to the non-responsive server. As described in the wiki, it will block the processing of the log during the switchover, but not during the blackout window... Especially when OSSEC is proposed as an HIDS, this does not go well with management. I have reduced the notify_time to a smaller unit, but I am not sure where the limit is, before functionality is impacted. That's one of my two cents.
