Hi Joshua, Depending on the VPN link and the type / amount of the logs, it might be better to install the manager (or standalone) option on each location (option #2) and only send the alerts to the centralized manager.
I do it often when monitoring httpd (or proxy) logs that can generate thousands or more logs per second that don't need to be sent to the central location... But the option #1 is certainly the easiest to setup and get started (note that OSSEC will detect if the manager or link is down and you will not lose a lot of logs). Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Sat, Jul 30, 2011 at 5:16 PM, Josh Brower <[email protected]> wrote: > I am looking at setting up OSSEC on my critical servers, which will then > dump into OSSIM. This will be setup at 5 locations, with each location > being interconnected via a VPN. > > > > My question is more of a “what is the best way to do this?” question. > > > > I am thinking of a couple different scenarios—Any comments would be > appreciated: > > > > 1) OSSEC Manager at the main site. Each location’s agents will ship > their logs across the VPN. OSSIM Agent installed on OSSEC Manager server, > to gather all the OSSEC logs. > > > > 2) OSSEC Manager at each location, all shipping their logs to the > primary OSSEC Manager at the main site. OSSIM Agent installed on the primary > OSSEC manager server, to gather all the OSSEC logs. > > > > > > 3) OSSEC agents ship their logs to the OSSIM sensor that is located at > each site. The OSSIM sensor at each site ships their logs across the vpn to > the main site’s OSSIM server/database. > > > > -My main concerns are as follows: > > -I Don’t want to lose logs if the VPN goes down for a couple > hours. > > -I am not convinced that I want to use the OSSEC server that > comes pre-installed on OSSIM—I would rather the integration not be that > tight, as it will be easier to upgrade and troubleshoot when crap happens. > > > > Thoughts or comments? > > > > -- > > Joshua Brower > > [email protected] > > DefensiveDepth.com > > > > > > > >
