Wouldn't the primary use-case be that you want to make sure that when the server goes down, when it comes back up, agent-events will be processed from the moment it went down? Or perhaps in cases of (D)DOS/network congestion, to be sure that events eventually would be delivered to the server?
Personally, I feel that reliable log-shipping would have no direct relevance to killing the communication between agent/server as the server will detect the agent being inactive. We, for example, use monitoring on the IDS-server-side to alert us if an agent goes down or does not transmit any data within a specific interval. Again, to be clear: I have no actual objection to this functionality than that I feel effort could be better invested in other parts of OSSEC, because there are already better solutions for reliable log shipping. -artien On 06/18/2014 03:21 PM, James M. Pulver wrote: > I think OSSEC should be a good logging daemon. How do you generate alerts if > you can't guarantee you get the logs, if the alerts are based on central > processing of the logs? This seems like a huge gaping hole in IDS to me - if > I was attacking an OSSEC endpoint, first thing I'd do once I realized it was > running OSSEC would be to see if I can block it's network access to the OSSEC > server without killing my access. Now the org running OSSEC is effectively > blinded to my work unless there's something else running. > > -- > James Pulver > CLASSE Computer Group > Cornell University > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Jeremy Rossi > Sent: Wednesday, June 18, 2014 8:49 AM > To: [email protected] > Subject: Re: [ossec-list] logall > > >> * James M. Pulver <[email protected]> [2014-06-18 12:03:15 +0000]: >> >>> Maybe I???m crazy, but I think OSSEC is like a log daemon +??? >>> It???s cross platform, it includes encryption, it has built in filtering >>> and can do active response. Why would it make sense to duplicate log >>> shipping if you need it to do the security stuff? I.e. OSSEC ought to be a >>> good log aggregator to serve it???s primary security goal IMO. > I don't know :) part of why I am asking. > > All the features you list don't in my mind make it a loggin daemon. Active > response, encryption, cross platform etc make it a good HIDS. > > But the feature of reading the log files fast and efficiently and moving them > to central server are very much log daemon-ish. But this feature is used to > centrally process not do anything more. (Outside of logall). We don't keep > the encrypted bytes for confirming message has not been modified or for > verification of the host it came from. We don't store any metadata about > where the log file was gathered from. Basically it is missing a huge pile of > features to make it a •good• logging daemon. > > Do we want to make this a •good• logging daemon tool and spend that time and > effort to build and support this feature set and direction? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
