Thanks Kat We had suggested splunk as being a better tool for scraping the logs for their application stuff but the boss has already seen what OSSEC can do and likes the output and hasn't been receptive to trying anything else.
I'll keep pushing it and hope for a better resolution to come our way at some point. Sherman Butler On 10/19/11 7:49 AM, "Kat" <uncommon...@gmail.com> wrote: >did something similar using the smaller version of splunk (500 meg) - >stuck with a single server, but created dashboards inside splunk to >split the appropriate alerts. >Something to think about. > >On Oct 19, 9:27 am, Sherman Butler <sbut...@cequint.com> wrote: >> I'm wondering if it's possible to have multiple instances of server or >>client running on the same host? Systems are x86 intel running x86 >>Solaris, no windows systems involved. >> >> We have two different groups of people using OSSEC for different >>issues. One group are the system admins and just want to see the basic >>system alerts and errors that are logged through syslog, the other group >>is the application admins and they want to see the error messages from >>their applications which also log to syslog. The problem is the number >>of application messages making it into syslog and therefore to OSSEC >>make it very difficult to pick out the relevant alerts the system admins >>would like to see. >> >> We thought if we could set up two instances of server and client we >>could separate the differing requirements. Anyone know if this is >>possible? >> >> Sherman Butler
