(I originally sent this to [email protected]<mailto:[email protected]>, but that appears to be the wrong address since I don't see it posting to this list. Apologies if this ends up being a duplicate post.)
I've been asked to set up an OSSEC server and am trying to figure out how much space I need to dedicate to it. Here's the situation: I have an existing syslog server that we plan to keep for maintaining long-term syslogs, and we plan to send syslog output to OSSEC in parallel. The OSSEC server with be an RHEL6 VM, and I can give it plenty of space, but I also don't want to waste space. We average between 10-20GB of syslog output/day, and that will probably go up as more devices are added. We have to keep logs for a certain period of time (it seems to change at random times) for PCI and other compliance purposes. Here are my questions: 1) How does the OSSEC server store data - what format(s)? 2) What data does the OSSEC server store? 3) Given that we're keeping the syslogs in a separate location, what (if any) advantages are there to storing OSSEC logs? 4) Assuming 10GB of syslog data, approximately how much space would the OSSEC logs take up after processing those syslogs? Let's assume (for argument's sake) that 1% of that log data (100MB) is "interesting". 5) How easy is it to rotate/truncate/purge OSSEC logs if we decide to keep them for a certain amount of time before clearing them? 6) How much CPU/RAM should I expect to need for OSSEC given the above requirements? Fortunately, adding more to a VM is easier than adding space, but I'd still like a sense of what I should expect. One last question - does OSSEC play well with SELinux? I generally don't run it on most systems for simplicity sake, but given that this is a security server, I figure I should probably give it a try... Thanks in advance for any and all constructive advice! Josh Joshua Megerman Sr. Systems Engineer IWCO Direct Phone: 267-960-3048 www.iwco.com ______________________________________________ CONFIDENTIALITY NOTICE: This e-mail, and any files/attachments transmitted, may include confidential and/or proprietary information from IWCO Direct, intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient, you are hereby notified that disclosure, printing, copying, distribution, or the taking of any action in reliance on the contents of this electronic information is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender by reply message and then delete the electronic message and any files/attachments. ______________________________________________
