[ossec-list] Re: Large scale deployment
have a tutorial please , because i would like install the assec-gent on 500 asset Best regards
Re: [ossec-list] Re: Large scale deployment
Hi, Scott Klauminzer Many thanks, about this method described in automatically-creating-and-setting-up-the-agent-keyshttp://dcid.me/2011/01/automatically-creating-and-setting-up-the-agent-keys/ ,I has been tried but I got a trouble that agent unable to connect to ossec server. this is my detail of ossec agent: [root@CentOS jj]# /var/ossec/bin/agent-auth -m 10.0.2.15 -p 6969 -A CentOS 2012/11/27 10:34:20 ossec-authd: INFO: Started (pid: 2742). 2012/11/27 10:34:20 ossec-authd: Unable to connect to 10.0.2.15:6969 [root@CentOS james]# yum list installed | grep ssl docbook-style-dsssl.noarch mod_ssl.i686 1:2.2.15-15.el6.centos nss_compat_ossl.i686 0.9.6-1.el6 @anaconda-CentOS-201112130233.i386/6.2 openssl.i686 1.0.0-20.el6 @anaconda-CentOS-201112130233.i386/6.2 openssl-devel.i686 1.0.0-20.el6 @anaconda-CentOS-201112130233.i386/6.2 qca-ossl.i6862.0.0-0.8.beta3.1.el6 qpid-cpp-client-ssl.i686 0.12-6.el6 @anaconda-CentOS-201112130233.i386/6.2 qpid-cpp-server-ssl.i686 0.12-6.el6 @anaconda-CentOS-201112130233.i386/6.2 Could you help me? thanks! Br. JJ 2012/9/27 sklaumin...@gmail.com sklaumin...@gmail.com Our current process is to pre-load the manager with client names to generate the client.keys file, then distribute that with the client install and have the install script search for the client by name in the client.keys file and output that line to the local client key. Using Type piped to Findstr on Windows. If you happen to be on Linux there is a better way! http://dcid.me/2011/01/automatically-creating-and-setting-up-the-agent-keys/ Scott Klauminzer Director of Information Technology Security Sent from my iPad On Sep 26, 2012, at 4:28 PM, Mobile Testing x86x...@gmail.com wrote: Thank you for feedback,I want to deploy 1 sets to several ossec servers. Not is a single server. I need to know specification and sizing. I am suffering from client's key distribution. Somebody help me,thank you. 從我的 iPhone 傳送 Kat uncommon...@gmail.com 於 2012/9/26 上午4:56 寫道: with the new Hybrid feature, why would you want to deploy 1 to a single manager? As someone who has had 3000-4000 dedicated to single managers, I would strongly suggest a tiered approach. It just makes more sense. Yes, you would have to wait for 2.7 to finish the beta cycle, but to me, I would think this is the way to go. 1 on a manager trying to maintain all the connections - just think of the load on the NIC(s) and the biggest problem being that the analysisd process is single threaded, so you are pumping all that data through one engine. I will say that yes, others are correct - management through a configuration system such as puppet or cfengine is the only way to go, and not trying to use the agent management directly within OSSEC. Just my 2 cents Kat On Tuesday, September 25, 2012 11:57:01 AM UTC-7, JB wrote: I know there are deployments of more than 3000 agents on one OSSEC server. You need to keep an eye on the amount of network traffic though. Overloading can result in lost events. Refer to http://www.ossec.net/?p=449 **under the heading OSSEC Symposium Day 2.. On Sunday, September 23, 2012 5:24:17 PM UTC-7, JJ Yu wrote: Dears, Is there any one knows large scale development ? I want to implement over 1 set. There is an issue on how to deployment client key and management. Could you share any experience? Many thanks. Br. JJ
Re: [ossec-list] Re: Large scale deployment
Our current process is to pre-load the manager with client names to generate the client.keys file, then distribute that with the client install and have the install script search for the client by name in the client.keys file and output that line to the local client key. Using Type piped to Findstr on Windows. If you happen to be on Linux there is a better way! http://dcid.me/2011/01/automatically-creating-and-setting-up-the-agent-keys/ Scott Klauminzer Director of Information Technology Security Sent from my iPad On Sep 26, 2012, at 4:28 PM, Mobile Testing x86x...@gmail.com wrote: Thank you for feedback,I want to deploy 1 sets to several ossec servers. Not is a single server. I need to know specification and sizing. I am suffering from client's key distribution. Somebody help me,thank you. 從我的 iPhone 傳送 Kat uncommon...@gmail.com 於 2012/9/26 上午4:56 寫道: with the new Hybrid feature, why would you want to deploy 1 to a single manager? As someone who has had 3000-4000 dedicated to single managers, I would strongly suggest a tiered approach. It just makes more sense. Yes, you would have to wait for 2.7 to finish the beta cycle, but to me, I would think this is the way to go. 1 on a manager trying to maintain all the connections - just think of the load on the NIC(s) and the biggest problem being that the analysisd process is single threaded, so you are pumping all that data through one engine. I will say that yes, others are correct - management through a configuration system such as puppet or cfengine is the only way to go, and not trying to use the agent management directly within OSSEC. Just my 2 cents Kat On Tuesday, September 25, 2012 11:57:01 AM UTC-7, JB wrote: I know there are deployments of more than 3000 agents on one OSSEC server. You need to keep an eye on the amount of network traffic though. Overloading can result in lost events. Refer to http://www.ossec.net/?p=449 under the heading OSSEC Symposium Day 2.. On Sunday, September 23, 2012 5:24:17 PM UTC-7, JJ Yu wrote: Dears, Is there any one knows large scale development ? I want to implement over 1 set. There is an issue on how to deployment client key and management. Could you share any experience? Many thanks. Br. JJ
Re: [ossec-list] Re: Large scale deployment
Thank you for feedback,I want to deploy 1 sets to several ossec servers. Not is a single server. I need to know specification and sizing. I am suffering from client's key distribution. Somebody help me,thank you. 從我的 iPhone 傳送 Kat uncommon...@gmail.com 於 2012/9/26 上午4:56 寫道: with the new Hybrid feature, why would you want to deploy 1 to a single manager? As someone who has had 3000-4000 dedicated to single managers, I would strongly suggest a tiered approach. It just makes more sense. Yes, you would have to wait for 2.7 to finish the beta cycle, but to me, I would think this is the way to go. 1 on a manager trying to maintain all the connections - just think of the load on the NIC(s) and the biggest problem being that the analysisd process is single threaded, so you are pumping all that data through one engine. I will say that yes, others are correct - management through a configuration system such as puppet or cfengine is the only way to go, and not trying to use the agent management directly within OSSEC. Just my 2 cents Kat On Tuesday, September 25, 2012 11:57:01 AM UTC-7, JB wrote: I know there are deployments of more than 3000 agents on one OSSEC server. You need to keep an eye on the amount of network traffic though. Overloading can result in lost events. Refer to http://www.ossec.net/?p=449 under the heading OSSEC Symposium Day 2.. On Sunday, September 23, 2012 5:24:17 PM UTC-7, JJ Yu wrote: Dears, Is there any one knows large scale development ? I want to implement over 1 set. There is an issue on how to deployment client key and management. Could you share any experience? Many thanks. Br. JJ
[ossec-list] Re: Large scale deployment
I know there are deployments of more than 3000 agents on one OSSEC server. You need to keep an eye on the amount of network traffic though. Overloading can result in lost events. Refer to http://www.ossec.net/?p=449 under the heading OSSEC Symposium Day 2.. On Sunday, September 23, 2012 5:24:17 PM UTC-7, JJ Yu wrote: Dears, Is there any one knows large scale development ? I want to implement over 1 set. There is an issue on how to deployment client key and management. Could you share any experience? Many thanks. Br. JJ
[ossec-list] Re: Large scale deployment
with the new Hybrid feature, why would you want to deploy 1 to a single manager? As someone who has had 3000-4000 dedicated to single managers, I would strongly suggest a tiered approach. It just makes more sense. Yes, you would have to wait for 2.7 to finish the beta cycle, but to me, I would think this is the way to go. 1 on a manager trying to maintain all the connections - just think of the load on the NIC(s) and the biggest problem being that the analysisd process is single threaded, so you are pumping all that data through one engine. I will say that yes, others are correct - management through a configuration system such as puppet or cfengine is the only way to go, and not trying to use the agent management directly within OSSEC. Just my 2 cents Kat On Tuesday, September 25, 2012 11:57:01 AM UTC-7, JB wrote: I know there are deployments of more than 3000 agents on one OSSEC server. You need to keep an eye on the amount of network traffic though. Overloading can result in lost events. Refer to http://www.ossec.net/?p=449 under the heading OSSEC Symposium Day 2.. On Sunday, September 23, 2012 5:24:17 PM UTC-7, JJ Yu wrote: Dears, Is there any one knows large scale development ? I want to implement over 1 set. There is an issue on how to deployment client key and management. Could you share any experience? Many thanks. Br. JJ