With that many systems you going to need lots of disk space and a fast raid array if your going to do Mysql unless you do database partitioning with compression. I took a different approach and did everything text, disabled the compression in the internal_options.conf, compiled the lzma tools, ran scripts to compress all the logs using maximum compression, configured ossec to email the alerts to an account on the server, then used scripts to gzip compress the alerts so that dovecot would display them when I IMAP to the system.
I have about 81 Domain Controllers, 45 Workstations/servers, and 70 Linux Systems using 37GB for 7 months of the alert.log events. The emailed alerts are about 12MB compressed a day so for 2 months use about 371MB. Brett On Dec 16, 11:23 am, "Martin Tartarelli" <martin.tartare...@gmail.com> wrote: > List, > > I need to implement OSSEC in approximately 300 servers. What should I > consider? > text? MySQL? another? Disk Space? > Experiences? > > Thank´s > > -- > Martin Tartarelli > Linux User #476492 > --
