Hi, I am just getting started with designing a logging stack and have some questions regarding how OSSEC will fit into the overall scheme. Over the last several weeks, I have been setting up different log stacks and think I have a viable solution. However, I have some questions about how everyone else is deploying OSSEC in similar situations. I understand this question is not entirely specific to OSSEC but I am hoping others have had similar goals so they may have some related information.
My overall design at this point will be shipping logs from endpoints to an rsyslog server then on that server, I will store everything and forward to graylog2, which will be using an elasticsearch backend. I plan to use encryption and TCP where possible. When adding OSSEC into the mix, how are others setting up their environments? On the endpoint nodes, are you deploying OSSEC on every node or are you shipping logs to a central store and then performing the checks there? As far as OSSEC on the server side, are you segregating OSSEC or running it on the same server as your rsyslog/logstash/whatever instances? Does it make sense to ship all endpoint logs to the central log repository then use rsyslog to redirect the logs to local files, graylog2, and OSSEC? Regards -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
