That works great for the server side and honestly I didn't consider the server to be a huge issue since we could always run it on a different host. The real issue in my mind is how to get the client to report to both servers at the same time looking at different log files. But now that I think more about that, we can send everything to both servers and just use ignore rules in the rules file for the one reporting just system alerts. A bit more configuration work but doable I think.
I'll have to figure out how to get the client keys off the first server and onto the second but I don't think that's an issue. It's just a file in etc. I'll look into that a little deeper. Thanks Andy Sherman On 10/19/11 11:35 AM, "Andy Cockroft (andic)" <an...@andic.co.nz> wrote: >How about Virtualisation using VMWARE? > >Run as many instances of OSSEC as you want - within reason > >Andy > > >-----Original Message----- >From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] >On Behalf Of Sherman Butler >Sent: Thursday, 20 October 2011 7:25 a.m. >To: ossec-list@googlegroups.com >Subject: Re: [ossec-list] Re: Multiple instances of OSSEC running on a >single system > >Thanks Kat > >We had suggested splunk as being a better tool for scraping the logs for >their application stuff but the boss has already seen what OSSEC can do >and likes the output and hasn't been receptive to trying anything else. > >I'll keep pushing it and hope for a better resolution to come our way at >some point. > >Sherman Butler > >On 10/19/11 7:49 AM, "Kat" <uncommon...@gmail.com> wrote: > >>did something similar using the smaller version of splunk (500 meg) - >>stuck with a single server, but created dashboards inside splunk to >>split the appropriate alerts. >>Something to think about. >> >>On Oct 19, 9:27 am, Sherman Butler <sbut...@cequint.com> wrote: >>> I'm wondering if it's possible to have multiple instances of server >>>or client running on the same host? Systems are x86 intel running x86 > >>>Solaris, no windows systems involved. >>> >>> We have two different groups of people using OSSEC for different >>>issues. One group are the system admins and just want to see the >>>basic system alerts and errors that are logged through syslog, the >>>other group is the application admins and they want to see the error >>>messages from their applications which also log to syslog. The >>>problem is the number of application messages making it into syslog >>>and therefore to OSSEC make it very difficult to pick out the relevant > >>>alerts the system admins would like to see. >>> >>> We thought if we could set up two instances of server and client we >>>could separate the differing requirements. Anyone know if this is >>>possible? >>> >>> Sherman Butler >
