scale ossec server

11 views
Skip to first unread message

dav_cict

unread,
Nov 20, 2009, 9:26:02 AM11/20/09
to ossec-list
Hello,

We're are testing OSSEC in my University and the product seems clearly
interesting.

We know now create decoders and rules and analyse a log file by
injecting it into a test ossec server.

A fact that we share here is that's difficult to find informations
about OSSEC.

Our interest is now : how organize a deployment

We have about 150 servers, a lot of switches, a few router, a few of
security elements.

What can we do ?

centralize all the log we want to analyse in one server ? What 's
about the netwok flow ? How does I know if ossec can deal with all log
entry ?

put ossec client on the server and centralized logs where I don't have
the possibility to install a client ?

other ?

My question stay, is ossec dealing with all the log ? How does a know
that certain logs pass through ?
How does I scale my server ?

Does anyone have example of configuration with a certain amount of
logs .

Does anyone know a society witch can help us to deploy such a solution
in France ?

Thank for any help.

dav_cict

unread,
Nov 23, 2009, 8:32:21 AM11/23/09
to ossec-list
Hello,

We're are testing OSSEC in my University and the product seems clearly
interesting.

We know now create decoders and rules and analyse a log file by
injecting it into a test ossec server.

A fact that we share here is that's difficult to find informations
about OSSEC.

Our interest is now : how organize a deployment

We have about 150 servers, a lot of switches, a few router, a few of
security elements.

What can we do ?

centralize all the log we want to analyse in one server ? What 's
about the network flow ? How does I know if ossec can deal with all
log
entry ?

put ossec client on the server and centralized logs where I don't have
the possibility to install a client ?

other ?

My question stay, is ossec dealing with all the log ? How does a know
that certain logs don't pass through ?

Dimitri

unread,
Nov 23, 2009, 3:45:50 PM11/23/09
to ossec...@googlegroups.com
Q:We have

about 150 servers, a lot of switches, a few router, a few of

security elements.


A:The deployment
I thinks is very simple, but the first step is colected all information about
you configuration items (ITIL concept).
IP Hostname ServiceID agent

Q:What can we do ?


centralize all the log we want to analyse in one server ? What 's
about the network flow ? How does I know if ossec can deal with all
log entry ?

A: The network
flow is minimal but I warning with domain controller logs these expensive, the bandwidth
is low but de administration is heavy.

Q: put ossec client on the server and centralized logs where I don't have


the possibility to install a client ?

A: http://www.ossec.net/main/manual/manual-agentless-monitoring/


other ?

My question stay, is ossec dealing with all the log ? How does a know
that certain logs don't pass through ?


How does I
scale my server ?3 GB RAM (for 150 is ok I think)

Dimitri.-
http://deoxyt2.livejournal.com
OpenBSD - Free, Functional & Secure

----- Mensaje original ----
De: dav_cict <dle...@cict.fr>
Para: ossec-list <ossec...@googlegroups.com>
Enviado: lun,23 noviembre, 2009 10:32
Asunto: [ossec-list] scale ossec server

Hello,

We're are testing OSSEC in my University and the product seems clearly
interesting.

.........


Reply all
Reply to author
Forward
0 new messages