Thanks for your help, Dan. Wes
On Thursday, September 24, 2015 at 9:28:04 AM UTC-4, dan (ddpbsd) wrote: > > > On Sep 24, 2015 9:15 AM, "Wes" <[email protected] <javascript:>> wrote: > > > > Please excuse me if this is not the proper place, but I was reading > Josh's paper ( > https://www.sans.org/reading-room/whitepapers/forensics/sysmon-enrich-security-onion-039-s-host-level-capabilities-35837) > > in regard to the use of Sysmon, Windows Event Collector Framework, and > OSSEC to forward logs from Windows workstations and servers to Security > Onion, but I wanted to be sure about a thing or two before I began such a > project. > > > > From the paper, I can see that the intention (for the Hybrid setup) is > that Sysmon will be running on all workstations (onsite/offsite), and all > workstations will be configured with Windows Event Forwarding to forward > logs to a log collector (OSSEC). From here the log collector will forward > information to Security Onion (sensor) > > > > --The log collector should be running the OSSEC agent, correct? Or is > this to run the manager? I guess my impression was that the agent only > collected logs locally, but from what I have read gives me the impression > that the agent can be forwarded logs and forward those logs as well? > > > > I've only skimmed the hybrid section of the paper, and i don't know a lot > about windows event forwarder, but I would assume the log collector is a > windows system. Because of that it can only run the ossec agent software. > It looks like the collector collects the logs via wef, allowing the ossec > agent to pull them in, and forwars them onto the ossec server. > > Josh is on the list though, and I would expect him to reply when he gets a > chance. :-) > > > Again please excuse my ignorance--if anyone could clarify or could point > me towards some more information, I would greatly appreciate it. > > > > Thanks, > > > > Wes > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
