On Sep 24, 2015 9:15 AM, "Wes" <[email protected]> wrote: > > Please excuse me if this is not the proper place, but I was reading Josh's paper ( https://www.sans.org/reading-room/whitepapers/forensics/sysmon-enrich-security-onion-039-s-host-level-capabilities-35837) in regard to the use of Sysmon, Windows Event Collector Framework, and OSSEC to forward logs from Windows workstations and servers to Security Onion, but I wanted to be sure about a thing or two before I began such a project. > > From the paper, I can see that the intention (for the Hybrid setup) is that Sysmon will be running on all workstations (onsite/offsite), and all workstations will be configured with Windows Event Forwarding to forward logs to a log collector (OSSEC). From here the log collector will forward information to Security Onion (sensor) > > --The log collector should be running the OSSEC agent, correct? Or is this to run the manager? I guess my impression was that the agent only collected logs locally, but from what I have read gives me the impression that the agent can be forwarded logs and forward those logs as well? >
I've only skimmed the hybrid section of the paper, and i don't know a lot about windows event forwarder, but I would assume the log collector is a windows system. Because of that it can only run the ossec agent software. It looks like the collector collects the logs via wef, allowing the ossec agent to pull them in, and forwars them onto the ossec server. Josh is on the list though, and I would expect him to reply when he gets a chance. :-) > Again please excuse my ignorance--if anyone could clarify or could point me towards some more information, I would greatly appreciate it. > > Thanks, > > Wes > > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
