On Wed, Nov 21, 2012 at 3:03 PM, Scott Nelson <[email protected]> wrote: > On Nov 21, 2012, at 1:50 PM, dan (ddp) wrote: > >> On Wed, Nov 21, 2012 at 2:44 PM, Scott <[email protected]> wrote: >>> Hello, >>> >>> I would like to have my logs from a distant subnet forwarded to a central >>> ossec server. Some of these logs are UDP 514 syslog format from >>> "appliances". >>> >>> So, I was thinking that I change my current ossec server that is on that >>> subnet (which now collects all logs) into a hybrid server and have it >>> forward logs to my new central ossec server. >>> >>> Does that sound reasonable? >>> >> >> The hybrid mode will send OSSEC alerts to a central OSSEC server, not all >> logs. > > Hmm. Okay, please have patience with me, so if I then forget about hybrid > mode, then how do I forward logs safely and securely over the internet to my > central ossec server? I kinda imagined that was the purpose of the hybrid > mode -- remoted + agentd. > > Thanks, > > Scott > >
I think the point is to have a central repository for the alerts more than having a central repo for all of the logs. Otherwise you could just have 1 central server, and never have to worry about hybrid mode.
