On 2014-06-18 7:57, Jeremy Rossi wrote:
One of the things that has become more and more clear is that people
expect ossec to do this. Be it bad docs that are not clear, or
something else. Part of me agrees that use the correct tools for the
job, but why ship the logs twice? And more importantly read them twice
(performance of ossec is really good when compared to logstash and
other things written in higher level languages).
This!
This is how it always plays out in the real world when someone wants to
use OSSEC and save all logs for regulatory reasons, which is most of the
time in an enterprise. OSSEC is already shipping logs, so it makes sense
to have only one agent on the box that does that. Plus it encrypts,
compresses and authenticates, which is something that requires special
configuration for other agents, if they support it at all. It's hard to
design a robust log environment using only OSSEC agents, but if it was a
bit more flexible in the way that it allowed you to access raw logs on
the manager, then they could be archived in Logstash, or ELSA, or RSA
enVision, or whatever.
All this really means is that the events OSSEC transports are more
standardized and accessible, which fits in perfectly with the modular
and flexible nature of the software.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
