Are you using the open source version of AV OSSIM or the paid for version? I had concerns about the amount of events per second on the open source version could handle. Because just the firewall that we want to alert off of sends around 200 - 300 events per second.
On Monday, September 16, 2013 4:43:42 PM UTC-4, Janelle wrote: > > I have 3000+ servers feeding syslog into a single OSSEC server and OSSEC > parses the data just fine. It is also very easy to use something like > filtering within syslog (in this case syslog-ng) to write filters and > process the hosts, groups of hosts, etc, to drop the alerts in different > locations as needed. OSSEC still processes everything seeing all 3000 hosts > uniquely, and alerting is done vial AV OSSIM. > > Works beautifully. > ~J > > On Monday, September 16, 2013 12:39:20 PM UTC-7, Michael Starks wrote: >> >> On 16.09.2013 14:04, Eric wrote: >> >> ... >> >> > My main fear is since I'm not >> > using OSSEC's agent portion of it, it looks like the only agent is >> > localhost and is therefore going to combine a lot of the traffic we >> > see into 1 big alert. If I get login failures from server1 and >> > server2, it will treat this as the same source and correlate it a lot >> > faster than it would if it treated them as separate servers. >> >> I have layered OSSEC on top of an existing syslog server in several >> environments. As long as the log messages themselves don't look like >> they are all coming from the same place, OSSEC will see them as separate >> systems. The hostname portion of the syslog is extracted like any other >> field, so it will work. >> >> By not using agents, you will lose some functionality; namely, active >> response, integrity checking and rootkit detection. >> >> If you're looking for SIEM-like functionality (asset valuation, etc), >> try the solution from AlienVault. OSSEC is deeply integrated into their >> solution and they have contributed back to OSSEC. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
