Bump, as I'm sure this got lost in weekend email.
-Josh From: Josh Brower [mailto:[email protected]] Sent: Saturday, July 30, 2011 4:16 PM To: '[email protected]' Subject: OSSEC + OSSIM + Distributed Env. I am looking at setting up OSSEC on my critical servers, which will then dump into OSSIM. This will be setup at 5 locations, with each location being interconnected via a VPN. My question is more of a "what is the best way to do this?" question. I am thinking of a couple different scenarios-Any comments would be appreciated: 1) OSSEC Manager at the main site. Each location's agents will ship their logs across the VPN. OSSIM Agent installed on OSSEC Manager server, to gather all the OSSEC logs. 2) OSSEC Manager at each location, all shipping their logs to the primary OSSEC Manager at the main site. OSSIM Agent installed on the primary OSSEC manager server, to gather all the OSSEC logs. 3) OSSEC agents ship their logs to the OSSIM sensor that is located at each site. The OSSIM sensor at each site ships their logs across the vpn to the main site's OSSIM server/database. -My main concerns are as follows: -I Don't want to lose logs if the VPN goes down for a couple hours. -I am not convinced that I want to use the OSSEC server that comes pre-installed on OSSIM-I would rather the integration not be that tight, as it will be easier to upgrade and troubleshoot when crap happens. Thoughts or comments? -- Joshua Brower [email protected] DefensiveDepth.com <http://defensivedepth.com/>
