I too use AlienVault and (outside of some AWS cloud anomalies) it works fine. I dowbt seriously that 400 servers would put a dent in the application. I use powershell to push all of the agents, update the server type specific profiles in ossec.conf settings, as well as configure integrity checking. It is hard to beat. The clients are very lean and easily manageable. I would give it a whirl in your lab, with and without agents to see for yourself the benefit of the AV engine, with the agents and all of the point and click settings. (99% linux environment here too).
Jared On Mon, Sep 16, 2013 at 4:43 PM, Janelle <[email protected]> wrote: > I have 3000+ servers feeding syslog into a single OSSEC server and OSSEC > parses the data just fine. It is also very easy to use something like > filtering within syslog (in this case syslog-ng) to write filters and > process the hosts, groups of hosts, etc, to drop the alerts in different > locations as needed. OSSEC still processes everything seeing all 3000 hosts > uniquely, and alerting is done vial AV OSSIM. > > Works beautifully. > ~J > > > On Monday, September 16, 2013 12:39:20 PM UTC-7, Michael Starks wrote: >> >> On 16.09.2013 14:04, Eric wrote: >> >> ... >> >> > My main fear is since I'm not >> > using OSSEC's agent portion of it, it looks like the only agent is >> > localhost and is therefore going to combine a lot of the traffic we >> > see into 1 big alert. If I get login failures from server1 and >> > server2, it will treat this as the same source and correlate it a lot >> > faster than it would if it treated them as separate servers. >> >> I have layered OSSEC on top of an existing syslog server in several >> environments. As long as the log messages themselves don't look like >> they are all coming from the same place, OSSEC will see them as separate >> systems. The hostname portion of the syslog is extracted like any other >> field, so it will work. >> >> By not using agents, you will lose some functionality; namely, active >> response, integrity checking and rootkit detection. >> >> If you're looking for SIEM-like functionality (asset valuation, etc), >> try the solution from AlienVault. OSSEC is deeply integrated into their >> solution and they have contributed back to OSSEC. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Thank you, Jared R. Greene -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
