> From: [email protected] [mailto:[email protected]] On > Behalf Of dan (ddp) > > Most of the data OSSEC stores is stored in plain text.
Excellent - that's much easier to maintain periodically and on the fly :) > Mostly OSSEC alerts, OSSEC daemon logs, and syscheck information for each > agent. OK, so the actual syslog data used by OSSEC is not stored locally by OSSEC itself, though that doesn't mean it couldn't be. > If you're exporting the OSSEC alerts, then not much. I'm not sure what you mean by that (I haven't delved too deeply into the OSSEC configuration details yet). If the OSSEC alert logs are just plain text, they'll probably live on the OSSEC server unless they also go out via syslog... >> 4) Assuming 10GB of syslog data, approximately how much space >> would the OSSEC logs take up after processing those syslogs? Let's >> assume (for argument's sake) that 1% of that log data (100MB) is >> "interesting". > > There's no real way to answer this. It all depends on how many alerts you > see, your tuning, etc. OK, I'll have to dig deeper into this. > Every *nix comes with all of the utilities you should need to do this. Logrotate is my friend - got it :) > It can get CPU intensive if there are a lot of agents and a lot of log > messages. OK, good to know. I'll probably have to allocate more CPU than I originally planned. > I don't remember having any trouble with SELinux and OSSEC itself, but it's > been a while since I tried. OK, thanks for the info! I think I'm going to have to just set it up and run some tests, but this has given me a good sense of where to start and what to expect. Thanks again! Josh Joshua Megerman Sr. Systems Engineer IWCO Direct Phone: 267-960-3048 www.iwco.com ______________________________________________ CONFIDENTIALITY NOTICE: This e-mail, and any files/attachments transmitted, may include confidential and/or proprietary information from IWCO Direct, intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient, you are hereby notified that disclosure, printing, copying, distribution, or the taking of any action in reliance on the contents of this electronic information is strictly prohibited. If you have received this e-mail message in error, please immediately notify the sender by reply message and then delete the electronic message and any files/attachments. ______________________________________________
