On Mon, Jun 24, 2013 at 12:37 PM, Blake Johnson <[email protected]> wrote: > Dan, > > Thank you for catching my unclear expression of the architecture. > > I was hoping the OSSEC server would have a way to differentiate based on an > agent property whether to apply the <logall> option. With logall enabled I > understand that the full log messages will be retained in > /var/ossec/logs/archives. I could then have the Splunk agent monitor that > directory to address retention requirements. > > Since <logall> is a global option, it appears I may be forced into a two > manager architecture, where the agents are associated with a manager based > on my retention needs. > > I'f prefer to stick to one manager to keep complexity low, if you have any > ideas on how that may be accomplished I would be happy to hear them. >
Modify the code, send patches. :-P > Blake > > On Monday, June 24, 2013 11:25:32 AM UTC-5, dan (ddpbsd) wrote: >> >> On Mon, Jun 24, 2013 at 12:15 PM, Blake Johnson <[email protected]> >> wrote: >> > We're evaluating OSSEC for use in our environment and are currently in >> > proof >> > of concept testing. We'll have two general types of agents with >> > different >> > compliance requirements that I'm considering separating with profiles. >> > >> > For Profile 1 I'd like to forward OSSEC alerts and full raw logs to >> > Splunk >> > via syslog. For Profile 2 I'd like to forward just alerts. >> > >> >> Agents do not create alerts. >> >> > We have alerts forwarding to Splunk successfully in our lab. Has anyone >> > had >> > success using an agent property, profile or otherwise, to set log >> > destination? Any other ideas to accomplish this goal(multi-manager setup >> > comes to mind)? >> > >> >> The OSSEC server does not have the capability of forwarding the logs >> it receives. >> >> > Any feedback is greatly appreciated, I'm still quite new to the project >> > >> > Blake Johnson >> > IT Security Analyst >> > Alliant Energy >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> > >> > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
