Very nice, that is about the size I am looking at. Plan so far is a physical OSSEC in each data center taking in feeds from about 2-4K hosts per DC. (5 DC's)
Each of the OSSEC servers would then send the results to Splunk via a local splunk agent and then I'll use the splunk app for OSSEC or write some custom dashboards/alerts. Trying to see how this can fit in with OSSIM also which I am looking at. Nice to know someone else is planning/running a large install, havent seen many documented anywhere. Zate On Sun, Apr 1, 2012 at 9:18 AM, Shawn Romines <sromi...@gmail.com> wrote: > I am running an OSSEC server compiled to handle 10K hosts with over 1K > already deployed. In 2 weeks I will be doubling my hosts and by the > end of April I will have over 4K. > > Taking in events via native ossec and sending via remote rsyslog to > parse. Roughly 200K events an hour. > > Server is RH EL on a VM with only 4g ram and dual proc. So far no > issues to report on the RH server. I will keep you informed if I > notice any scalability issues. > > --Shawn > > On Sat, Mar 31, 2012 at 7:45 PM, Dan Sherman <2secur...@gmail.com> wrote: > > I would like to know as well. > > > > Dan > > > > On Mar 31, 2012, at 5:44 PM, Zate <zat...@gmail.com> wrote: > > > >> Anyone running OSSEC on 1000+ hosts that wants to share some tips/ > >> tricks on a good architecture for large installs? Hardware tips, > >> deployment tips, management tips? > >> > >> Dont mind discussing off list if that makes it easier. > >> > >> thanks. > > > > -- > Regards, > Shawn Romines > sromi...@gmail.com > 210-233-9619 >