I have 3000+ servers feeding syslog into a single OSSEC server and OSSEC parses the data just fine. It is also very easy to use something like filtering within syslog (in this case syslog-ng) to write filters and process the hosts, groups of hosts, etc, to drop the alerts in different locations as needed. OSSEC still processes everything seeing all 3000 hosts uniquely, and alerting is done vial AV OSSIM.
Works beautifully. ~J On Monday, September 16, 2013 12:39:20 PM UTC-7, Michael Starks wrote: > > On 16.09.2013 14:04, Eric wrote: > > ... > > > My main fear is since I'm not > > using OSSEC's agent portion of it, it looks like the only agent is > > localhost and is therefore going to combine a lot of the traffic we > > see into 1 big alert. If I get login failures from server1 and > > server2, it will treat this as the same source and correlate it a lot > > faster than it would if it treated them as separate servers. > > I have layered OSSEC on top of an existing syslog server in several > environments. As long as the log messages themselves don't look like > they are all coming from the same place, OSSEC will see them as separate > systems. The hostname portion of the syslog is extracted like any other > field, so it will work. > > By not using agents, you will lose some functionality; namely, active > response, integrity checking and rootkit detection. > > If you're looking for SIEM-like functionality (asset valuation, etc), > try the solution from AlienVault. OSSEC is deeply integrated into their > solution and they have contributed back to OSSEC. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
