On 01/07/2011 08:43 AM, Anthony, Russell (Information Security) wrote:
Greetings
Has anyone successfully deployed Ossec to an environment with 25K or
more clients? I would appreciate any feedback, lessons learned,
architectural guidelines or hardware recommendations. Is there a good
rule of thumb on how many windows clients that can point to a single
OSSEC manager ? What typically becomes the bottleneck as the number of
agents increases? Network bandwidth, memory, CPU or Disk read/writes?
Thanks!
Russ Anthony
Hello Russ,
From the section 'Monitor thousands of agents.' at
http://www.immutablesecurity.com/index.php/2010/10/20/2woo-tips-tricks/:
By default, OSSEC will handle up to 256 agents. But there are successful
installations with thousands of agents. You simply need to increase one
setting in OSSEC.
#cd src; make setmaxagents
#cd ..; ./install.sh
It also helps to increase a few kernel parameters for your system:
# ulimit -n 2048
# sysctl -w kern.maxfiles=2048
# sysctl -w net.core.rmem_default=5123840
# sysctl -w net.core.rmem_max = 5123840
I like to put OSSEC on its own partition and optimize it a bit with the
noatime value. For example:
/dev/VolGroup00/ossec /log/ossec ext3 defaults,noatime 1 2
As an added benefit, if something goes crazy and starts sending out
millions of logs, it won’t fill up the root partition and take down the
entire server.
Hope this helps.
-Mike
