> On Jun 18, 2014, at 8:09 AM, "Artien Bel" <[email protected]> wrote: > > I feel that OSSEC should not be expected to support reliable/guaranteed > log shipping as has come up more than once in the last few weeks on this > mailing list. There are very well supported comercial and free systems > for that. OSSEC is a HIDS, not a log shipping application. >
One of the things that has become more and more clear is that people expect ossec to do this. Be it bad docs that are not clear, or something else. Part of me agrees that use the correct tools for the job, but why ship the logs twice? And more importantly read them twice (performance of ossec is really good when compared to logstash and other things written in higher level languages). > For example; the NXLOG enterprise edition (paid) supports many features > including reliable operation and guaranteerd delivery > (http://nxlog.org/enterprise-edition) > An other option is the rsyslog RELP protocol if you don't want to pay > and don't need a dead-set guarantee. > (http://www.rsyslog.com/doc/imrelp.html) Only thing I can say is it's another thing to manage and admin. I don't know this is what I do in my environment. Rsyslog and socklog with spunk and ossec for security. > > In sort, lets not use a screwdriver as a hammer, even if we technically > could. :) > > Regards, > > Artien > >> On 06/18/2014 01:58 PM, Jeremy Rossi wrote: >> Log all feature comes up all the time and is confusing I think and maybe >> something we should solve better. But I am worried about turning ossec from >> security to a log daemon as other tools have solved that problem. >> >> Currently logall just saves the raw messages without any metadata like file >> path, filename, timezone, etc of the event. So basiclly it's a piss poor way >> of saving all messages. Not to even talk about how messages are now ossec >> master and agent communicate so you get api chat in the logs. >> >> Is this a problem space ossec should be solving? >> >> Just looking for feedback :) > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
