On Nov 21, 2012, at 2:23 PM, dan (ddp) wrote: >> Hmm. Okay, please have patience with me, so if I then forget about hybrid >> mode, then how do I forward logs safely and securely over the internet to my >> central ossec server? > > I think the point is to have a central repository for the alerts more > than having a central repo for all of the logs. Otherwise you could > just have 1 central server, and never have to worry about hybrid mode.
For me, it is to have an off-site copy of all logs for compliance reasons. How about this: I configure my local ossec server to only log remote syslog files, but I also install an agent into /var/ossec/ossec-agent, and have it read /var/ossec/logs/archives/archives.log in addition to the standard things?
