On 2014-05-13 9:44, Darin Perusich wrote:
If you want reliable syslog retrieval I recommend you abandon using
OSSEC and use rsyslog with the RELP module enabled. Then if you want
to do post processing your logs looking for events use a tool 'sec',
simple event correlator, or splunk, or elastisearch, etc, etc.
http://www.rsyslog.com/doc/imrelp.html
http://simple-evcorr.sourceforge.net/
RELP looks interesting. Or use a TCP-based and maybe encrypted syslog
daemon for the log delivery and analyze the logs on the manager with
OSSEC, and use the agents for file integrity monitoring and rootkit
detection. SEC is nice but doesn't have the analysis capabilities that
OSSEC does.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.