On Thu, May 31, 2012 at 6:15 AM, [email protected] <[email protected]> wrote: > Hi all > > Currently considering an Ossec deployment, could I please check my > understanding of the following; > > Ossec alerts - can be logged to syslog, file, database and sent as emails. > > Original log lines received from agents - can be logged to archive.log file > with the "logall" directive for retention (doesn't cause these to be added to > a configured db and they don't appear to be sent to syslog either should this > be enabled, presuming these aren't options?). >
Those are not options. > And a slightly off topic question if I may. > > I'd be interested in hearing what others are doing with regards log retention > / enabling rich searching of the archive log, having taken a quick look at > elsa as an example this appears to import everything as ossec-archive which > doesn't appear ideal for utilising the search functions. > > It would be plausible in our case to actually junk a good portion of what's > in the archive (ossec keepalives, log lines considered irrelevant for > retention) but I'm not sure exactly where to begin (regex not being a strong > point) and am wondering what others have done who have used the archive as a > basis for log retention. > > Many thanks in advance > >
