I'm new to OSSEC and also OSSIM and I've just set up a very simple topology.

I've got OSSIM on one machine and a single FreeBSD based machine running 
OSSEC and Snort. I've added the agent in the Agents tab and I can see it 
connects fine.

I see OSSIM and OSSEC working together to schedule and run rootkit checks 
and syschecks, but I also know that OSSEC can parse the system logs and 
Snort logs looking for security issues. Currently, the OSSEC configuration 
is not set up to look at logs and other than manually editing the 
agent.conf I can't see any way to enable this functionality from OSSIM (I'm 
using the agent.conf deployment feature).

My question is:

Should the OSSEC agent be parsing the system logs and Snort logs and then 
send relevant data to the OSSIM server or should I set it up to send my 
logs directly to the OSSIM server using Syslog, bypassing the OSSEC agent 
all together?

In each case what are the advantages and disadvantages? 

In my setup it would be the most simple for the OSSEC agent to handle 
rootkit checking and syschecking only, with the system logs and Snort logs 
being sent directly to the  OSSIM server using Syslog.

Thanks in advance.


You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to