On 16.09.2013 14:04, Eric wrote:
...
My main fear is since I'm not
using OSSEC's agent portion of it, it looks like the only agent is
localhost and is therefore going to combine a lot of the traffic we
see into 1 big alert. If I get login failures from server1 and
server2, it will treat this as the same source and correlate it a lot
faster than it would if it treated them as separate servers.
I have layered OSSEC on top of an existing syslog server in several
environments. As long as the log messages themselves don't look like
they are all coming from the same place, OSSEC will see them as separate
systems. The hostname portion of the syslog is extracted like any other
field, so it will work.
By not using agents, you will lose some functionality; namely, active
response, integrity checking and rootkit detection.
If you're looking for SIEM-like functionality (asset valuation, etc),
try the solution from AlienVault. OSSEC is deeply integrated into their
solution and they have contributed back to OSSEC.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
