Hey folks, I'm new to the list, im macker. Forgive me if these questions have been asked already, as I didn't see them after going though previous messages. I have also read an ossec book which was great, and still couldn't find the answer.
I am rolling out ossec to a segment of my network (about 55 servers). These are split between east/west coast and are redundant locations. 1) user accounts: ossec requires 3 seperate user accounts and 1 group account. Due to my internal linux patch management system, it would be preferrable not to need 3 sperate user accounts. Is there a way to have it run as 1 user account, or is that lowering the security/segregation of duty, etc? 2) Is it possible to have redundant ossec central servers set up? Not sure how that would work since you would be sending logs to two seperate locations. Also, if were to move my one management station/central ossecd, to the other coast, culd I just copy the text file w/ the agent keys on it over, or are those keys based off some type of salt/encryption built specific the ossecd box. 3) Anyone have success/horror stories I should be aware about with this amount of servers? Perhaps helpful advice, lessons learned. Thanks, - macker
