Hi Dan, thanks for the reply. Do you know of any material that will help with the following please as I am drawing blanks (or a lack of coffee is breaking my ability to google)...
The changes which have to be made to the WebUI to allow it to read entries in syslog format instead of /logs/alerts/alerts.log (as defined in WebUI lib/os_lib_alerts.php). I'm struggling to understand who is responsible for encryption in the syslog multi server setup, is it an ossec flag/feature... do you have to use stunnel.... is rsyslog still called and that service is responsible etc Thanks, Andy Date: Wed, 28 Sep 2011 05:38:54 -0400 Subject: Re: [ossec-list] Client ossec.conf log_alert_levels From: [email protected] To: [email protected] Agents don't send alerts to servers, they send logs. If you want to limit the data going from the site, you should setup a local manager and forward alerts to your central ossec manager. On Sep 28, 2011 5:36 AM, "Andrew Shepherd" <[email protected]> wrote: > > > I've bought/read the Syngress book, read ossec.net and dcid.me, and had a > good look through this group but so far no luck. > > The > problem I'm facing is the <log_alert_level> in ossec.conf for > clients doesn't seem to have an effect. I've read somewhere that > <log_alert_level> can be used on the server AND the client to > limit alerts that are sent to the server. > > However even when I set this to 9 (for example) on the client... > <alerts> > <log_alert_level>9</log_alert_level> > <email_alert_level>12</email_alert_level> > </alerts> > > ...there > is still an almost constant UDP stream from client to server, and the > log on the ossec server keeps receiving/logging level 6 alerts etc. > > Project details: > -Server is on a site with limited bandwidth and will not support constant > reporting of ALL alerts by EVERY client > -All traffic MUST be encrypted > -I'm > avoiding syslog as I'm not a fan of the format syslog will store in > (not sure how to parse that back to a WebUI) and I can't see many tuts > on the best way for encryption > -client version ossec-hids-2.5.1-1 > > I've read > http://dcid.me/2008/08/multi-server-architecture/ > But can't see any follow up of the 'same communication channel' but I may be > missing something. > > Any help greatly appreciated. > Andy
