I thought I would share this.. OSSEC has been a huge help not to mention savings. In 2 very large cases - over 3000 nodes - OSSEC has replaced Tripwire as the Filesystem check, and because of all the fantastic features it adds, it brings even more ROI to the teams involved.
In several instances, Tripwire was core dumping and sucking up CPU for reasons TW was never able to resolve, and as OSSEC rolled out to replace it - not only did the audit teams like it, but so did Sys Admins, as they now had a tool to bring sense to log files of over 3000 systems. Using it with the 500 meg version of licensed Splunk and the OSSEC app, the reporting tools provide everything we need to meet compliance requirements. I especially find the "command as a logfile" ability of OSSEC being able to also replace some of the monitoring tools so we can remove a bit more overhead. Although the DB integration is also a plus, because the feeds go into Splunk, that was not a huge requirement, HOWEVER, in testing up front, I worked with the Logzilla team to provide the same "OSSEC App" features that Splunk provides in the Logzilla project. So if you are looking for a cheaper solution rather than Splunk, you should take a look at Logzilla (logzilla.pro) to bring the collection portion of all the syslog data into a very neat and powerful interface. Bottom line - with OSSEC spread out in the enterprise, and some of the other tools on the server end to provide the reporting and searching for historical information - this is a WIN-WIN situation all around. I am sure some folks have wondered abotu the load that OSSEC Manager can handle - well, my largest instance is handling just over 3000 nodes and the smaller one around 1700 nodes. Just scale the hardware. The biggest issue is fine-tuning all the false positives, and I am looking to build a tool for a more simple "rule tuning" method. Specifically something that pulls out the specific rule that is firing into a web interface, then opens a screen and allows you to move the specific parts into another rule, which is then placed in the proper location of the local_rules file. When you have 3000 nodes, managing false positives and fine tuning rules can bit a bit cumbersome having to "edit" files and reload, etc. Of course when I finish this "tool" I will be contributing back to the project and offer it out for others... That's my 3 cents (I hate even numbers) for how OSSEC has helped me during the week of OSSEC. cheers ~K
