On Tue, May 13, 2014 at 10:51 AM, Michael Starks <ossec-l...@michaelstarks.com> wrote: > On 2014-05-13 9:44, Darin Perusich wrote: >> >> If you want reliable syslog retrieval I recommend you abandon using >> OSSEC and use rsyslog with the RELP module enabled. Then if you want >> to do post processing your logs looking for events use a tool 'sec', >> simple event correlator, or splunk, or elastisearch, etc, etc. >> >> http://www.rsyslog.com/doc/imrelp.html >> http://simple-evcorr.sourceforge.net/ > > > RELP looks interesting. Or use a TCP-based and maybe encrypted syslog daemon > for the log delivery and analyze the logs on the manager with OSSEC, and use > the agents for file integrity monitoring and rootkit detection. SEC is nice > but doesn't have the analysis capabilities that OSSEC does. > TCP base syslog still doesn't guarantee your message will be delivered to the loghost. Say you have a chatty host sending whatever to you loghost and the loghost crashes and has a significant amount of downtime. After whatever the time-out value for your tcp enabled log client is reached you're going to lose those logs, with RELP they'll be stored on the client and transmitted whenever the loghost comes back online so nothing gets lost.
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
