On Wed, Aug 1, 2012 at 1:46 AM, Carlos Lugo <[email protected]> wrote: > Why not simply have each of the agents speak directly to the central OSSEC > server (rather than deal with a second layer)? > Perhaps you could configure it with multiple adapters/IP addresses so that it > has a presence on each of your subnets/networks. > > Sent from my iPhone >
It can be nice to split these things up. For instance, if you want to give multiple locations their own OSSEC server for alerting purposes (and to customize to that environment better), but you also want a centralized repository of alerts from all of the different locations. Or you can have an OSSEC server monitor the desktops, while another sits in another location monitoring the servers. These tasks are different enough that I'd think that could be useful. Plus, splitting the tasks up by security requirement is nice. > On Jul 31, 2012, at 11:01 PM, Patrick <[email protected]> wrote: > >> Hi, >> >> We're looking at OSSEC and I'm wondering if it supports the following config >> Ossec Agent -> Ossec Server -> Ossec Server? >> >> We have multiple LAN segments and want to have a central OSSEC aggregation >> point in each segment, then have that aggregation point forward logs to a >> central OSSEC server. >> >> I already have OSSEC agents talking to their respective OSSEC agg point in >> their zone, however need assistance getting the agg points talking to the >> final OSSEC server. >> >> Is this supported/achievable? >> >> Thank you for any info you can provide. >> >> Pat
