On Thu, Mar 1, 2012 at 12:15 PM, Megerman, Joshua <[email protected]> wrote: >> From: [email protected] [mailto:[email protected]] On >> Behalf Of dan (ddp) >> >> Most of the data OSSEC stores is stored in plain text. > > Excellent - that's much easier to maintain periodically and on the fly :) > >> Mostly OSSEC alerts, OSSEC daemon logs, and syscheck information for each >> agent. > > OK, so the actual syslog data used by OSSEC is not stored locally by OSSEC > itself, though that doesn't mean it couldn't be. > >> If you're exporting the OSSEC alerts, then not much. > > I'm not sure what you mean by that (I haven't delved too deeply into the > OSSEC configuration details yet). If the OSSEC alert logs are just plain > text, they'll probably live on the OSSEC server unless they also go out via > syslog... >
You can export OSSEC alerts via syslog, but you don't have to. >>> 4) Assuming 10GB of syslog data, approximately how much space >>> would the OSSEC logs take up after processing those syslogs? Let's >>> assume (for argument's sake) that 1% of that log data (100MB) is >>> "interesting". >> >> There's no real way to answer this. It all depends on how many alerts you >> see, your tuning, etc. > > OK, I'll have to dig deeper into this. > >> Every *nix comes with all of the utilities you should need to do this. > > Logrotate is my friend - got it :) > >> It can get CPU intensive if there are a lot of agents and a lot of log >> messages. > > OK, good to know. I'll probably have to allocate more CPU than I originally > planned. > >> I don't remember having any trouble with SELinux and OSSEC itself, but it's >> been a while since I tried. > > OK, thanks for the info! I think I'm going to have to just set it up and run > some tests, but this has given me a good sense of where to start and what to > expect. Thanks again! > > Josh > > Joshua Megerman > Sr. Systems Engineer > IWCO Direct > Phone: 267-960-3048 > www.iwco.com > ______________________________________________ CONFIDENTIALITY NOTICE: This > e-mail, and any files/attachments transmitted, may include confidential > and/or proprietary information from IWCO Direct, intended solely for the use > of the individual or entity to whom they are addressed. If you are not the > intended recipient, you are hereby notified that disclosure, printing, > copying, distribution, or the taking of any action in reliance on the > contents of this electronic information is strictly prohibited. If you have > received this e-mail message in error, please immediately notify the sender > by reply message and then delete the electronic message and any > files/attachments. ______________________________________________
