Hi all Currently considering an Ossec deployment, could I please check my understanding of the following;
Ossec alerts - can be logged to syslog, file, database and sent as emails. Original log lines received from agents - can be logged to archive.log file with the "logall" directive for retention (doesn't cause these to be added to a configured db and they don't appear to be sent to syslog either should this be enabled, presuming these aren't options?). And a slightly off topic question if I may. I'd be interested in hearing what others are doing with regards log retention / enabling rich searching of the archive log, having taken a quick look at elsa as an example this appears to import everything as ossec-archive which doesn't appear ideal for utilising the search functions. It would be plausible in our case to actually junk a good portion of what's in the archive (ossec keepalives, log lines considered irrelevant for retention) but I'm not sure exactly where to begin (regex not being a strong point) and am wondering what others have done who have used the archive as a basis for log retention. Many thanks in advance
