4 installs -- 1700 hosts 1200 hosts 1340 hosts and 900 (oops, that is not over 1000, but close)
Use puppet to manage deployments rather than OSSEC itself. Also, puppet maintains more than just agent.conf. Splunk on the backend with "Splunk for OSSEC" app handling all the "details". Also, because this was large mixed platform of Linux, Hp-UX, AIX, Solaris and Windoze, puppet made things much easier. Biggest problem was the constant alerts of disconnected agents, when they really weren't. This was caused mostly by the load and short check times in the agent/server codes. I found some patches to bump that up, but in the beginning I just disabled the "Agent disconnected" rules, which also worked. ** Maybe a note to developers -- as the agent count goes up - set up check-in timers that go up with the agent count. It would avoid a lot of false-positives on these alerts. My biggest issue was with reporting, which is why Splunk was added to the mix. This gives the flexibility needed to support both SOC type engineers as well as auditors requests, and once the reports are defined, they can modify them easily enough for their needs with just a little training. Hope this helps - if you have questions, just ask and I will try to answer. ~K
