Dan, Thank you for catching my unclear expression of the architecture.
I was hoping the OSSEC server would have a way to differentiate based on an agent property whether to apply the <logall> option. With logall enabled I understand that the full log messages will be retained in /var/ossec/logs/archives. I could then have the Splunk agent monitor that directory to address retention requirements. Since <logall> is a global option, it appears I may be forced into a two manager architecture, where the agents are associated with a manager based on my retention needs. I'f prefer to stick to one manager to keep complexity low, if you have any ideas on how that may be accomplished I would be happy to hear them. Blake On Monday, June 24, 2013 11:25:32 AM UTC-5, dan (ddpbsd) wrote: > > On Mon, Jun 24, 2013 at 12:15 PM, Blake Johnson > <[email protected]<javascript:>> > wrote: > > We're evaluating OSSEC for use in our environment and are currently in > proof > > of concept testing. We'll have two general types of agents with > different > > compliance requirements that I'm considering separating with profiles. > > > > For Profile 1 I'd like to forward OSSEC alerts and full raw logs to > Splunk > > via syslog. For Profile 2 I'd like to forward just alerts. > > > > Agents do not create alerts. > > > We have alerts forwarding to Splunk successfully in our lab. Has anyone > had > > success using an agent property, profile or otherwise, to set log > > destination? Any other ideas to accomplish this goal(multi-manager setup > > comes to mind)? > > > > The OSSEC server does not have the capability of forwarding the logs > it receives. > > > Any feedback is greatly appreciated, I'm still quite new to the project > > > > Blake Johnson > > IT Security Analyst > > Alliant Energy > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
