I am looking at setting up OSSEC on my critical servers, which will then
dump into OSSIM. This will be setup at 5 locations, with each location
being interconnected via a VPN.
My question is more of a "what is the best way to do this?" question.
I am thinking of a couple different scenarios-Any comments would be
appreciated:
1) OSSEC Manager at the main site. Each location's agents will ship
their logs across the VPN. OSSIM Agent installed on OSSEC Manager server,
to gather all the OSSEC logs.
2) OSSEC Manager at each location, all shipping their logs to the
primary OSSEC Manager at the main site. OSSIM Agent installed on the primary
OSSEC manager server, to gather all the OSSEC logs.
3) OSSEC agents ship their logs to the OSSIM sensor that is located at
each site. The OSSIM sensor at each site ships their logs across the vpn to
the main site's OSSIM server/database.
-My main concerns are as follows:
-I Don't want to lose logs if the VPN goes down for a couple
hours.
-I am not convinced that I want to use the OSSEC server that
comes pre-installed on OSSIM-I would rather the integration not be that
tight, as it will be easier to upgrade and troubleshoot when crap happens.
Thoughts or comments?
--
Joshua Brower
[email protected]
DefensiveDepth.com <http://defensivedepth.com/>
