In the ossec.conf file I understand that I can set the logall to "yes" (ie <logall> yes </logall>) and it will log all of the events to /logs/archives/archives.log. Is there any way to change the destination IP of where the all of the logfiles get sent? Ideally, I'd like all log files to go to the IP address of my SIEM, and all events that match a rule can get stored locally on the OSSEC server IP. (My current OSSEC server doesn't have enough hard drive space to send a copy of all of the logs to it).
If I can't do this, does anyone run both the Windows OSSEC agent and Windows Snare program (http://www.intersectalliance.com/projects/BackLogNT/) on their Windows server boxes (2003 and 2008) successfully? I haven't done any tests on this yet, but thought I'd throw it out there. Appreciate any thoughts. Jason Youngquist, CISSP Information Technology Security Engineer Technology Services Columbia College 1001 Rogers Street, Columbia, MO 65216 (573) 875-7334 [email protected] http://www.ccis.edu
