On Wed, Aug 8, 2012 at 12:45 PM, Beau <[email protected]> wrote: > I'm wondering if anyone uses an OSSEC agent to monitor a Splunk server (free > edition) for log integrity. For PCI-DSS, I understand one needs to make > sure logs (stored on Splunk, in our case) maintain integrity > > I'm hoping OSSEC can help achieve this. > > To put it another way, we already have an OSSEC server monitoring the > clients that are in turn logging to the Splunk server, so I think we're > covered on some level, ensuring that the clients are not being tampered > with, but It would be great to use OSSEC to verify that the centralized log > sever (splunk) is maintaining integrity as well. > > Anyone have thoughts on this? > > Also, I sort of get that you can use OSSEC to monitor specific locations for > changes, but I assume the Splunk indexes are always changing, so I'm unclear > how OSSEC could be used to keep it's "eye" on the Splunk data.
OSSEC could potentially detect a logfile getting smaller, but I don't know how likely we are to win that race. Beyond that if the logfile is text OSSEC could monitor it and forward the logs somewhere else.
