Well, I'm using the agent on Windows, and many are laptops. So they stay up, but wander away from our network. They currently can't connect to the OSSEC server when off our network. This may be unnecessary paranoia on our part, and we are working on what we can expose to the net at large, but anyway... Getting the logs would be nice. I also agree with Doug, my main point is I don't want to run 2 log agents reading the logs and forwarding them on.
-- James Pulver CLASSE Computer Group Cornell University -----Original Message----- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Artien Bel Sent: Wednesday, June 18, 2014 9:48 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] logall Wouldn't the primary use-case be that you want to make sure that when the server goes down, when it comes back up, agent-events will be processed from the moment it went down? Or perhaps in cases of (D)DOS/network congestion, to be sure that events eventually would be delivered to the server? Personally, I feel that reliable log-shipping would have no direct relevance to killing the communication between agent/server as the server will detect the agent being inactive. We, for example, use monitoring on the IDS-server-side to alert us if an agent goes down or does not transmit any data within a specific interval. Again, to be clear: I have no actual objection to this functionality than that I feel effort could be better invested in other parts of OSSEC, because there are already better solutions for reliable log shipping. -artien On 06/18/2014 03:21 PM, James M. Pulver wrote: > I think OSSEC should be a good logging daemon. How do you generate alerts if > you can't guarantee you get the logs, if the alerts are based on central > processing of the logs? This seems like a huge gaping hole in IDS to me - if > I was attacking an OSSEC endpoint, first thing I'd do once I realized it was > running OSSEC would be to see if I can block it's network access to the OSSEC > server without killing my access. Now the org running OSSEC is effectively > blinded to my work unless there's something else running. > > -- > James Pulver > CLASSE Computer Group > Cornell University > > > -----Original Message----- > From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] > On Behalf Of Jeremy Rossi > Sent: Wednesday, June 18, 2014 8:49 AM > To: ossec-list@googlegroups.com > Subject: Re: [ossec-list] logall > > >> * James M. Pulver <jmp...@cornell.edu> [2014-06-18 12:03:15 +0000]: >> >>> Maybe I???m crazy, but I think OSSEC is like a log daemon +??? >>> It???s cross platform, it includes encryption, it has built in filtering >>> and can do active response. Why would it make sense to duplicate log >>> shipping if you need it to do the security stuff? I.e. OSSEC ought to be a >>> good log aggregator to serve it???s primary security goal IMO. > I don't know :) part of why I am asking. > > All the features you list don't in my mind make it a loggin daemon. Active > response, encryption, cross platform etc make it a good HIDS. > > But the feature of reading the log files fast and efficiently and moving them > to central server are very much log daemon-ish. But this feature is used to > centrally process not do anything more. (Outside of logall). We don't keep > the encrypted bytes for confirming message has not been modified or for > verification of the host it came from. We don't store any metadata about > where the log file was gathered from. Basically it is missing a huge pile of > features to make it a •good• logging daemon. > > Do we want to make this a •good• logging daemon tool and spend that time and > effort to build and support this feature set and direction? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
