I would advice to use OSSEC agents to collect system logs data, since you
already have it there doing FIM and anomalies detection anyway. Also
communications are authenticated and encrypted (as opposed to default
Other advantage is that you pre-process them through OSSEC decoders and
rules (before it gets to OSSIM
correlation engine), detecting possible security issues, misconfigurations,
errors,.... As well you can trigger automatic emails and use active
responses (if you need them).
On the other hand, I don't see a lot of value in processing Snort logs
through OSSEC (unless you want to use active-responses or use CDBs for
white/black listing). I would advice to send them directly to OSSIM and
enable snort-syslog plugin (unless you decide to use embedded Suricata).
I hope that helps,
On Wed, Sep 21, 2016 at 2:13 PM, Eponymous - <the.e...@gmail.com> wrote:
> I'm new to OSSEC and also OSSIM and I've just set up a very simple
> I've got OSSIM on one machine and a single FreeBSD based machine running
> OSSEC and Snort. I've added the agent in the Agents tab and I can see it
> connects fine.
> I see OSSIM and OSSEC working together to schedule and run rootkit checks
> and syschecks, but I also know that OSSEC can parse the system logs and
> Snort logs looking for security issues. Currently, the OSSEC configuration
> is not set up to look at logs and other than manually editing the
> agent.conf I can't see any way to enable this functionality from OSSIM (I'm
> using the agent.conf deployment feature).
> My question is:
> Should the OSSEC agent be parsing the system logs and Snort logs and then
> send relevant data to the OSSIM server or should I set it up to send my
> logs directly to the OSSIM server using Syslog, bypassing the OSSEC agent
> all together?
> In each case what are the advantages and disadvantages?
> In my setup it would be the most simple for the OSSEC agent to handle
> rootkit checking and syschecking only, with the system logs and Snort logs
> being sent directly to the OSSIM server using Syslog.
> Thanks in advance.
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
For more options, visit https://groups.google.com/d/optout.