OSSEC as TCP or UDP

[Abdulvehhab Agin]

Hi,

We use OSSEC about 200 clients, default UDP port is set and ossec server handle 1 700 000 events per 2 minutes so some packets cannot be proccessed. So rids files says dubilcated error.

I think to use TCP.

Have you any experience OSSEC comminication via TCP 

[dan (ddp)]

I don't believe OSSEC supports TCP at the moment.

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Abdulvehhab Agin]

Why did you say it?

In, http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.remote.html

protocol

Specifies the protocol to use for syslog events.

Default: udp

Allowed: udp or tcp

You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/qmw_dlVIhxE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

[dan (ddp)]

On Mon, May 16, 2016 at 2:10 PM, Abdulvehhab Agin <abdul...@gmail.com> wrote:
> Why did you say it?
>
>
> In,
> http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.remote.html
>
> protocol
>
> Specifies the protocol to use for syslog events.
>
> Default: udp
>
> Allowed: udp or tcp
>

My apologies, I did not realize you meant the syslog input. I assumed
you meant using OSSEC agents, which use the secure method.
Details of the agent options are here:
https://ossec.github.io/docs/syntax/head_ossec_config.client.html

As far as the syslog tcp option, I won't be of much help. I avoid the
syslog options for remoted.