On Wed, Oct 26, 2011 at 3:56 PM, carlopmart <carlopm...@gmail.com> wrote:
> On 10/26/2011 08:33 PM, dan (ddp) wrote:
>>
>> Please excuse my ignorance. I'll take notes. :)
>>
>> On Wed, Oct 26, 2011 at 8:15 AM, carlopmart<carlopm...@gmail.com> wrote:
>>>
>>> On 10/26/2011 01:00 PM, Michael Starks wrote:
>>>>
>>>> List the most annoying bugs. What makes OSSEC difficult to use? What is
>>>> the biggest area for improvement? What are we missing? Any rules fp too
>>>> much? Now is the time to get it all out.
>>>>
>>>> --
>>>> Michael Starks
>>>> [I] Immutable Security
>>>> http://www.immutablesecurity.com
>>>
>>> IMHO, exists some improvements needed to implement on OSSEC:
>>>
>>> a) Ability to be installed on cluster systems, like RHCS (RedHat Cluster
>>> Suite) or Pacemaker/Corosync.
>>>
>>
>> What is inadequate with the current system in a clustered environment?
>> I probably just don't know enough about how these clusters operate,
>> but what needs to change in OSSEC?
>>
>
> I will try to explain. Installing OSSEC in a "real cluster suite" has these
> advantages:
>
> a) All alerts, events, etc resides on a shared storage. ALL information is
> always available. With the current model will have one part on serverA and
> another part on serverB. It is not an ideal situation, for example if you
> use some type of event correlator like Splunk or Sguil.
>
> b) Only one server IP is needed to configure on clients. If serverA fails,
> serverB takes the control tranparently for the client.
>
>
> Of course, this type of configuration permits cluster over geolocation sides
> ...
>
> What needs to change in OSSEC code?? Needs to permit to bind to specific IP
> address and assign a hostname different from the real host on is installed.
> After this, OSSEC can works on cluster suites .... at least the ones I know.
>
So you meant cluster the manager side?
I was wondering how a cassandra cluster would work for shared storage.
And better manager failover is something that's being thought about.
Not yet at the roadmap stage though. ;)
I'll definitely keep this in mind.
>
> --
> CL Martinez
> carlopmart {at} gmail {d0t} com
>
