Agents don't send alerts to servers, they send logs. If you want to limit
the data going from the site, you should setup a local manager and forward
alerts to your central ossec manager.
On Sep 28, 2011 5:36 AM, "Andrew Shepherd" <[email protected]> wrote:
>
>
> I've bought/read the Syngress book, read ossec.net and dcid.me, and had a
good look through this group but so far no luck.
>
> The
> problem I'm facing is the <log_alert_level> in ossec.conf for
> clients doesn't seem to have an effect. I've read somewhere that
> <log_alert_level> can be used on the server AND the client to
> limit alerts that are sent to the server.
>
> However even when I set this to 9 (for example) on the client...
> <alerts>
> <log_alert_level>9</log_alert_level>
> <email_alert_level>12</email_alert_level>
> </alerts>
>
> ...there
> is still an almost constant UDP stream from client to server, and the
> log on the ossec server keeps receiving/logging level 6 alerts etc.
>
> Project details:
> -Server is on a site with limited bandwidth and will not support constant
reporting of ALL alerts by EVERY client
> -All traffic MUST be encrypted
> -I'm
> avoiding syslog as I'm not a fan of the format syslog will store in
> (not sure how to parse that back to a WebUI) and I can't see many tuts
> on the best way for encryption
> -client version ossec-hids-2.5.1-1
>
> I've read
> http://dcid.me/2008/08/multi-server-architecture/
> But can't see any follow up of the 'same communication channel' but I may
be missing something.
>
> Any help greatly appreciated.
> Andy
