On Thu, Mar 1, 2012 at 9:36 AM, Megerman, Joshua <[email protected]> wrote: > (I originally sent this to [email protected], but that appears to be the > wrong address since I don’t see it posting to this list. Apologies if this > ends up being a duplicate post.) > > > > I’ve been asked to set up an OSSEC server and am trying to figure out how > much space I need to dedicate to it. Here’s the situation: > > > > I have an existing syslog server that we plan to keep for maintaining > long-term syslogs, and we plan to send syslog output to OSSEC in parallel. > The OSSEC server with be an RHEL6 VM, and I can give it plenty of space, but > I also don’t want to waste space. We average between 10-20GB of syslog > output/day, and that will probably go up as more devices are added. We have > to keep logs for a certain period of time (it seems to change at random > times) for PCI and other compliance purposes. > > > > Here are my questions: > > > > 1) How does the OSSEC server store data – what format(s)? >
Most of the data OSSEC stores is stored in plain text. > 2) What data does the OSSEC server store? > Mostly OSSEC alerts, OSSEC daemon logs, and syscheck information for each agent. > 3) Given that we’re keeping the syslogs in a separate location, what > (if any) advantages are there to storing OSSEC logs? > If you're exporting the OSSEC alerts, then not much. > 4) Assuming 10GB of syslog data, approximately how much space would the > OSSEC logs take up after processing those syslogs? Let’s assume (for > argument’s sake) that 1% of that log data (100MB) is “interesting”. > There's no real way to answer this. It all depends on how many alerts you see, your tuning, etc. > 5) How easy is it to rotate/truncate/purge OSSEC logs if we decide to > keep them for a certain amount of time before clearing them? > Every *nix comes with all of the utilities you should need to do this. > 6) How much CPU/RAM should I expect to need for OSSEC given the above > requirements? Fortunately, adding more to a VM is easier than adding space, > but I’d still like a sense of what I should expect. > It can get CPU intensive if there are a lot of agents and a lot of log messages. > > > One last question – does OSSEC play well with SELinux? I generally don’t > run it on most systems for simplicity sake, but given that this is a > security server, I figure I should probably give it a try… > I don't remember having any trouble with SELinux and OSSEC itself, but it's been a while since I tried. > > > Thanks in advance for any and all constructive advice! > > > > Josh > > > > Joshua Megerman > > Sr. Systems Engineer > > IWCO Direct > > Phone: 267-960-3048 > > www.iwco.com > > > > ______________________________________________ CONFIDENTIALITY NOTICE: This > e-mail, and any files/attachments transmitted, may include confidential > and/or proprietary information from IWCO Direct, intended solely for the use > of the individual or entity to whom they are addressed. If you are not the > intended recipient, you are hereby notified that disclosure, printing, > copying, distribution, or the taking of any action in reliance on the > contents of this electronic information is strictly prohibited. If you have > received this e-mail message in error, please immediately notify the sender > by reply message and then delete the electronic message and any > files/attachments. ______________________________________________
