It really depends on how much you monitor. You can configure your syslog program to log everything, log nothing, or anything in-between. Then you can configure your agent to only look at all of your log files or only some of your log files.
On Wednesday, December 5, 2012 11:49:20 PM UTC-6, peng lin wrote: > > Log monitoring cost how much Bandwidth ? > That depends. You have great control on the bandwidth by controlling how much is logged on the agent by your syslog program, and then which log files you wish to have the agent send to the server. if i use this to monitor agent 's syslog , did agent will send all of his > syslog to server ? > You configure the agent and tell it which log files to send to server. > and server only process the syslog which agent send not store , or will > copy it store to another place then process it > The level of the rule determines if the message is ignored (0), stored (log_alert_level) or alerted (email_alert_level). However, you can set logall to yes if you wish that everything is stored. See etc/ossec.conf
