hi Wazuh has rules update and a nice integration of PCI DSS compliance. More and more Wazuh is different from ossec, but i think they contribute on it too.
I still using ossec with our ELK, but ELK is a pain in the ass to upgrade, so i think graylog is better for searching logs. there is siemonster that integrate ossec/wazuh too, great job but still a bit disappointing. I really hope Ossec will still have improvement, this is a great tools, but i can only debug for helping. The problem we face now, is botnet using each different ip for brute forcing.. that is a limit of the decoder checking only urp/ip/etc.. There is a big step bewteen HIDS and SIEM and the cost For us, Ossec need better reporting and correlation ----- Mail original ----- De: "Philip Alexander" <[email protected]> À: "ossec-list" <[email protected]> Envoyé: Lundi 30 Janvier 2017 19:05:50 Objet: [ossec-list] Regular OSSEC vs OSSEC Wazuh I intend to set up OSSEC and noticed there seem to be two main flavours: regular OSSEC and Wazuh fork. >From what I've been able to gather, the main advantages of Wazuh are: * its ability to integrate with ELK * an improved ruleset * restful API I have no interest in using ELK for this project, but we already have a preexisting graylog instance that I'd like to hook up with OSSEC, which should be possible in regular OSSEC using syslog cef format, according to this: https://github.com/Graylog2/graylog-guide-ossec . I assume I can still use the improved ruleset even if I run regular OSSEC, atleast I haven't seen anything that indicates otherwise. As for the restful API, I'm still very inexperienced and I've only recently heard about REST - I don't even know how I would begin putting it to use - so I'm not sure if I should use the Wazuh fork just for that. The objective is to run OSSEC agents on the machines in our cloud environment and point them to an OSSEC Server in a machine that's already being used for log management and monitoring on the same network . Are there any other advantages to running Wazuh instead of regular OSSEC? Is there much of a performance difference? Anything else I should take into consideration? -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected] . For more options, visit https://groups.google.com/d/optout . -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
