Seconded, were in the same boat, the auditors don't like that alerts are not resent should the ossec server be unreachable. We didn't bother detailing everything else, as far as they know it's realtime alerting :) -rich
On Thu, Oct 21, 2010 at 2:35 AM, spacekiwi <[email protected]> wrote: > > For me, the most defying discredit to OSSEC is the loss off alerts, in > the High-availability Solution. > > I am trying to defend OSSEC in face of management, > but it is really hard when OSSEC comes with a default blackout of 30 > minutes. > > Following the description for a multi-server architecture, the > OSSECServers can take the charge of another failed server OSSECserver, > but the problem is that the client does not "see" that the server is > down before the end of a certain hardcoded window (3 times NOTIFY_TIME > = 30 minutes). > And since OSSEC is using UDP it will continue to send over loglines to > the non-responsive server. > As described in the wiki, it will block the processing of the log > during the switchover, but not during the blackout window... > > Especially when OSSEC is proposed as an HIDS, this does not go well > with management. > > I have reduced the notify_time to a smaller unit, but I am not sure > where the limit is, before functionality is impacted. > > That's one of my two cents. > >
