I hope the logs are first compressed and then encrypted. Otherwise, if encrypted first then no compression would be achieved.
On Nov 15, 2007 9:24 PM, Michael Starks <[EMAIL PROTECTED]> wrote: > > Hello Branko, > > > 1. How are logs sent to the server (complete logs or diffs)? > > Every event is sent to the server. OSSEC then evaluates the message > against the rules. If there is a match, it is logged and action is > taken based on the logic in the rule. If there is no match, then the > message is discarded (by default, but this can be changed). > > Are all the > > logs that ossec agent is configured to monitor processed by server or > > agent has some kind of intelligence? I'm asking this because I would > > need the information about possible network and server load in case when > > agents are installed servers with big traffic. For example, web servers > > with big number of visits (which for sure generate big access and > > probably error logs). > > As stated, every event is sent to the server for analysis. But the > events are also encrypted and compressed, so the traffic isn't as much > as the raw event would be. > > > 2. Were are the referent integrity checking hashes kept and where does > > the hash comparison take place? > > To the best of my understanding, there is a local database for cache > purposes (at least there is on Windows), but again, the event is sent to > the server for comparison with stored checksums. > > > 3. How exactly does the rootkit detection work? > > There are several things going on here. One novel method is that OSSEC > looks at what the OS reports as listening on the host, then attempts to > bind to every port. If they don't match up, an alert is sent. There > can be problems with this on some installation which open and close > ports very quickly. OSSEC uses other methods, and for those I will > simply refer you to the mailing list archive for a thorough discussion. > > HTH, > Mike >
