Ok, I am thinking "off the cuff" here -- but was starting to wonder how OSSEC could scale more easily to large infrastructures. One of the primary issues is analysisd being single threaded. BUT -- since analysisd does not trap the port - 1514 for anything - that is left up to remoted - then why couldn't you run multiple versions of analysisd but have them tied to a specific keys file somehow?
In otherwords, have a way to mark the client.keys file with a field that perhaps had a 1,2,3 or 4 or something like that, and it would indicate which analysisd instance you are going to talk to? I guess I need to go look at the code to see who is doing the evaluation on the client.keys for processing. I am guessing it is remoted, so maybe this would not work too easily if that is the case. The whole point here is to NOT try to make analysisd multi-threaded, but instead have some way to decide how many daemons you want to run and which one processes which clients. Thoughts/comments?? -K -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.