On Wed, Nov 21, 2012 at 3:47 PM, Scott Nelson <wa6...@gmail.com> wrote: > On Nov 21, 2012, at 2:23 PM, dan (ddp) wrote: > >>> Hmm. Okay, please have patience with me, so if I then forget about hybrid >>> mode, then how do I forward logs safely and securely over the internet to >>> my central ossec server? >> >> I think the point is to have a central repository for the alerts more >> than having a central repo for all of the logs. Otherwise you could >> just have 1 central server, and never have to worry about hybrid mode. > > For me, it is to have an off-site copy of all logs for compliance reasons. >
How do you do it now? What problems does that method have? > How about this: I configure my local ossec server to only log remote syslog > files, but I also install an agent into /var/ossec/ossec-agent, and have it > read /var/ossec/logs/archives/archives.log in addition to the standard things? Sounds like a lot of trouble. There's a lot of potential for false positive alerts.