I've bought/read the Syngress book, read ossec.net and dcid.me, and had a good
look through this group but so far no luck.
The
problem I'm facing is the <log_alert_level> in ossec.conf for
clients doesn't seem to have an effect. I've read somewhere that
<log_alert_level> can be used on the server AND the client to
limit alerts that are sent to the server.
However even when I set this to 9 (for example) on the client...
<alerts>
<log_alert_level>9</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
...there
is still an almost constant UDP stream from client to server, and the
log on the ossec server keeps receiving/logging level 6 alerts etc.
Project details:
-Server is on a site with limited bandwidth and will not support constant
reporting of ALL alerts by EVERY client
-All traffic MUST be encrypted
-I'm
avoiding syslog as I'm not a fan of the format syslog will store in
(not sure how to parse that back to a WebUI) and I can't see many tuts
on the best way for encryption
-client version ossec-hids-2.5.1-1
I've read
http://dcid.me/2008/08/multi-server-architecture/
But can't see any follow up of the 'same communication channel' but I may be
missing something.
Any help greatly appreciated.
Andy
