Hi Michael, As far as performance expectations from a setup like that, what kind of processing power and ram requirements would be needed for how many endpoints? I have not even gotten to sizing at this point but I should get it on my radar.
Thanks for your reply. Brandon On Tuesday, January 13, 2015 at 1:12:16 PM UTC-6, Michael Starks wrote: > > On 2015-01-13 1:07, BKeep wrote: > > > Does it make sense to ship all endpoint logs to the central log > > repository then use rsyslog to redirect the logs to local files, > > graylog2, and OSSEC? > > I have deployed OSSEC in several environments over the years. My > preference is to use OSSEC agents for integrity and rootkit checking > only, and ship the logs separately so they can be consumed by ELSA (or > graylog, etc). I then analyze the logs on the destination log host with > analysisd. > > I do this because OSSEC does not have very good capabilities when it > comes to archiving logs. Sure, you can turn that on but all of the logs > are stored in one monolithic log file and the log format is not > standardized. And if you don't turn it on, you'll end of discarding > 90-99% of the logs that come in because they don't match a rule. > > My preference would be to have one agent (only OSSEC), but it just > doesn't work so well in environments where you want to archive all logs > for forensics purposes. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.