On Wed, Oct 26, 2011 at 3:56 PM, carlopmart <carlopm...@gmail.com> wrote: > On 10/26/2011 08:33 PM, dan (ddp) wrote: >> >> Please excuse my ignorance. I'll take notes. :) >> >> On Wed, Oct 26, 2011 at 8:15 AM, carlopmart<carlopm...@gmail.com> wrote: >>> >>> On 10/26/2011 01:00 PM, Michael Starks wrote: >>>> >>>> List the most annoying bugs. What makes OSSEC difficult to use? What is >>>> the biggest area for improvement? What are we missing? Any rules fp too >>>> much? Now is the time to get it all out. >>>> >>>> -- >>>> Michael Starks >>>> [I] Immutable Security >>>> http://www.immutablesecurity.com >>> >>> IMHO, exists some improvements needed to implement on OSSEC: >>> >>> a) Ability to be installed on cluster systems, like RHCS (RedHat Cluster >>> Suite) or Pacemaker/Corosync. >>> >> >> What is inadequate with the current system in a clustered environment? >> I probably just don't know enough about how these clusters operate, >> but what needs to change in OSSEC? >> > > I will try to explain. Installing OSSEC in a "real cluster suite" has these > advantages: > > a) All alerts, events, etc resides on a shared storage. ALL information is > always available. With the current model will have one part on serverA and > another part on serverB. It is not an ideal situation, for example if you > use some type of event correlator like Splunk or Sguil. > > b) Only one server IP is needed to configure on clients. If serverA fails, > serverB takes the control tranparently for the client. > > > Of course, this type of configuration permits cluster over geolocation sides > ... > > What needs to change in OSSEC code?? Needs to permit to bind to specific IP > address and assign a hostname different from the real host on is installed. > After this, OSSEC can works on cluster suites .... at least the ones I know. >
So you meant cluster the manager side? I was wondering how a cassandra cluster would work for shared storage. And better manager failover is something that's being thought about. Not yet at the roadmap stage though. ;) I'll definitely keep this in mind. > > -- > CL Martinez > carlopmart {at} gmail {d0t} com >