Agreed. And yes - why do I want 2 streams of data being sent over my network, when one is sufficient? What if the EPS is so high that sending 2 streams - one for a syslog-tool and the other for OSSEC, brings my network to its knees? It really does make sense to simply strengthen the log all features of OSSEC. It really is not much of a stretch. Besides, what defines a HIDS anyway? Doesn't that include log file delivery - at least if we are making it PCI compliant?
Since the data is already being shipped, it does not seem like much of a problem to add a few extensions to how logall processes the data. ~J On Wednesday, June 18, 2014 7:12:02 AM UTC-7, Michael Starks wrote: > > On 2014-06-18 7:57, Jeremy Rossi wrote: > > One of the things that has become more and more clear is that people > > expect ossec to do this. Be it bad docs that are not clear, or > > something else. Part of me agrees that use the correct tools for the > > job, but why ship the logs twice? And more importantly read them twice > > (performance of ossec is really good when compared to logstash and > > other things written in higher level languages). > > This! > > This is how it always plays out in the real world when someone wants to > use OSSEC and save all logs for regulatory reasons, which is most of the > time in an enterprise. OSSEC is already shipping logs, so it makes sense > to have only one agent on the box that does that. Plus it encrypts, > compresses and authenticates, which is something that requires special > configuration for other agents, if they support it at all. It's hard to > design a robust log environment using only OSSEC agents, but if it was a > bit more flexible in the way that it allowed you to access raw logs on > the manager, then they could be archived in Logstash, or ELSA, or RSA > enVision, or whatever. > > All this really means is that the events OSSEC transports are more > standardized and accessible, which fits in perfectly with the modular > and flexible nature of the software. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
