Sending the forward alerts to a separate file makes sense. I didn't want to leave a machine that important totally unprotected.
I'll look into the products you mentioned below. Thanks again, Tom -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Wednesday, April 25, 2012 10:57 AM To: [email protected] Subject: Re: [ossec-list] Syslog Server On Wed, Apr 25, 2012 at 10:48 AM, Tom Piersa <[email protected]> wrote: > Ive been tinkering with OSSec for about 6 months now. Id like to setup a > syslog server and have OSSec send its alerts to the syslog server. Then I > would like to use an Open Source tool to do reporting off the syslog server. > Two questions: > > 1. Since OSSec does some of its reporting off the log files, if I > install OSSec on the syslog server will I get double entries? It just sounds > like a loop. > It can happen. I usually configure rsyslog or syslog-ng to put the forwarded OSSEC alerts in a file that isn't being monitored by OSSEC. > > > 2. My security budget got doubled this year. $0x2=$0. But we must be > secure. If I cant do that, I can feel free to quit and well get someone > who will. So What Open Source products can I use for Debian Syslog > reporting? Id like something web based. At this point Im just looking to > see all of my log info in one place. > In no particular order: logstash graylog2 elsa octopussy (seriously) Limited "free" versions: splunk (free version) > Thanks much, > > > > Tom > > > >
