with the new "Hybrid" feature, why would you want to deploy 10000 to a single manager? As someone who has had 3000-4000 dedicated to single managers, I would strongly suggest a tiered approach. It just makes more sense. Yes, you would have to wait for 2.7 to finish the beta cycle, but to me, I would think this is the way to go.
10000 on a manager trying to maintain all the connections - just think of the load on the NIC(s) and the biggest problem being that the analysisd process is single threaded, so you are pumping all that data through one engine. I will say that yes, others are correct - management through a configuration system such as puppet or cfengine is the only way to go, and not trying to use the agent management directly within OSSEC. Just my 2 cents Kat On Tuesday, September 25, 2012 11:57:01 AM UTC-7, JB wrote: > > I know there are deployments of more than 3000 agents on one OSSEC server. > You need to keep an eye on the amount of network traffic though. > Overloading can result in lost events. > Refer to http://www.ossec.net/?p=449 under the heading OSSEC Symposium > Day 2.. > > On Sunday, September 23, 2012 5:24:17 PM UTC-7, JJ Yu wrote: >> >> Dears, >> Is there any one knows large scale development ? I want to >> implement over 10000 set. There is an issue on how to deployment client key >> and management. >> Could you share any experience? >> Many thanks. >> >> Br. JJ >> >
