Hi Jeremy, Replies inline.
On Wed, Jun 18, 2014 at 8:48 AM, Jeremy Rossi <jer...@jeremyrossi.com> wrote: > >> >> * James M. Pulver <jmp...@cornell.edu> [2014-06-18 12:03:15 +0000]: >> >>> Maybe I???m crazy, but I think OSSEC is like a log daemon +??? >>> It???s cross platform, it includes encryption, it has built in filtering >>> and can do active response. Why would it make sense to duplicate log >>> shipping if you need it to do the security stuff? I.e. OSSEC ought to be a >>> good log aggregator to serve it???s primary security goal IMO. > > I don't know :) part of why I am asking. > > All the features you list don't in my mind make it a loggin daemon. Active > response, encryption, cross platform etc make it a good HIDS. My interpretation of James's statement is that we shouldn't need yet another agent that's also shipping logs to some central point. Installing two agents on the same host tailing the same log files and shipping to some central point is duplication of effort and won't be accepted in many organizations. > But the feature of reading the log files fast and efficiently and moving them > to central server are very much log daemon-ish. But this feature is used to > centrally process not do anything more. (Outside of logall). We don't keep > the encrypted bytes for confirming message has not been modified or for > verification of the host it came from. We don't store any metadata about > where the log file was gathered from. Basically it is missing a huge pile of > features to make it a •good• logging daemon. > Do we want to make this a •good• logging daemon tool and spend that time and > effort to build and support this feature set and direction? My vote would be yes. -- Doug Burks -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
