I feel that OSSEC should not be expected to support reliable/guaranteed log shipping as has come up more than once in the last few weeks on this mailing list. There are very well supported comercial and free systems for that. OSSEC is a HIDS, not a log shipping application.
For example; the NXLOG enterprise edition (paid) supports many features including reliable operation and guaranteerd delivery (http://nxlog.org/enterprise-edition) An other option is the rsyslog RELP protocol if you don't want to pay and don't need a dead-set guarantee. (http://www.rsyslog.com/doc/imrelp.html) In sort, lets not use a screwdriver as a hammer, even if we technically could. Regards, Artien On 06/18/2014 01:58 PM, Jeremy Rossi wrote: > Log all feature comes up all the time and is confusing I think and maybe > something we should solve better. But I am worried about turning ossec from > security to a log daemon as other tools have solved that problem. > > Currently logall just saves the raw messages without any metadata like file > path, filename, timezone, etc of the event. So basiclly it's a piss poor way > of saving all messages. Not to even talk about how messages are now ossec > master and agent communicate so you get api chat in the logs. > > Is this a problem space ossec should be solving? > > Just looking for feedback :) > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
