bookmark_borderMulti-server architecture

This is another feature that has been asked constantly for a long time and just now we got around to implement it.

The idea is to allow one OSSEC server (manager) to parse the alerts from another one, creating a hierarchy of multiple servers being able to forward all their data to a central one.

Something like this:

agent11 -> ossec-server-1 -> ossec-central <- ossec-server2 <- agent21

This bug explain the idea as well: http://www.ossec.net/bugs/show_bug.cgi?id=24

For version 1.6, you will be able to do that by forwarding the OSSEC alerts from one server to another via syslog. In the future, I plan to expand that to use the same communication channel (encrypted, compressed, etc) that we use for the agent communication. However, for now you will need to use syslog (or install an agent in the server itself –both should work).

To have the syslog working, you need to add the following on the “client manager”:

<syslog_output>
<server>142.167.90.213</server>
<port>1515</port>
</syslog_output>

And enable client-syslog:

/var/ossec/bin/ossec-control enable client-syslog

On the central server, you need to enable remote syslog (note that I am using port 1515 instead of 514):

<remote>
<connection>syslog</connection>
<port>1515</port>
<allowed-ips>192.168.2.0/24</allowed-ips>
<allowed-ips>192.168.1.0/24</allowed-ips>
</remote>

When this is done, you should start getting the alerts from all your servers (and agents) into the central one:

** Alert 1219087291.31744: mail – ossec,
2008 Aug 18 16:21:31 QA-XXX-1->1Z.YY.253.226|QA-XXXX-1->ossec-monitord
Rule: 502 (level 3) -> ‘Ossec server started.’
ossec: Ossec started.

Note that the location will be pipe (“|”) separated. If you have any questions or suggestions, please let us know.

Thanks!