That helps immensely, it's pretty much exactly what we are looking to build, right down to us using splunk and puppet and about the same amount of hosts in the same amount of locations.
Thanks a lot. Zate On Sun, Apr 1, 2012 at 6:22 AM, Kat <[email protected]> wrote: > 4 installs -- > 1700 hosts > 1200 hosts > 1340 hosts > and 900 (oops, that is not over 1000, but close) > > Use puppet to manage deployments rather than OSSEC itself. Also, > puppet maintains more than just agent.conf. Splunk on the backend with > "Splunk for OSSEC" app handling all the "details". Also, because > this was large mixed platform of Linux, Hp-UX, AIX, Solaris and > Windoze, puppet made things much easier. > > Biggest problem was the constant alerts of disconnected agents, when > they really weren't. This was caused mostly by the load and short > check times in the agent/server codes. I found some patches to bump > that up, but in the beginning I just disabled the "Agent disconnected" > rules, which also worked. > > ** Maybe a note to developers -- as the agent count goes up - set up > check-in timers that go up with the agent count. It would avoid a lot > of false-positives on these alerts. > > My biggest issue was with reporting, which is why Splunk was added to > the mix. This gives the flexibility needed to support both SOC type > engineers as well as auditors requests, and once the reports are > defined, they can modify them easily enough for their needs with just > a little training. > > Hope this helps - if you have questions, just ask and I will try to > answer. > > ~K >
