OSSEC large scale deployment

Question

We have a data-center and as a happy OSSEC user I am trying to convince my management to use it for host intrusion detection. However I have never deployed it on more than a handful of servers and I am not sure if it does scale.

Anyone has deployed OSSEC on a large scale (say 500+ servers) ? Does it scale ?

score 6 · Accepted Answer · answered May 31 '12 at 02:12

I help manage an existing deployment of 3300+ agents using a single OSSEC server that generates ~300k alerts every 24 hours.

From the OSSEC newsgroup and from direct communications I know of several OSSEC installations that go well beyond 6000 agents (typically configured using multiple OSSEC servers).

Things that we did that helped:

use ossec-authd http://www.ossec.net/doc/programs/ossec-authd.html
increase maximum # of agents + system limits (per instructions at the bottom of http://www.ossec.net/doc/faq/unexpected.html#id8)
modified ./src/addagent/validate.c (line 60, change 4000 to 9000 – to allow more agent IDs)
use a custom preloaded-vars.conf
setup binary installation http://www.ossec.net/doc/manual/installation/installation-binary.html
use puppet to automate installs, agent registration (check out http://projects.puppetlabs.com/projects/1/wiki/OSSEC-HIDS_Patterns)

score 1 · Answer 2 · answered May 13 '12 at 19:14

1

Discussion on the OSSEC list says that, with a recompile, a server can host tons of agents (the poster there, who I believe is the founder of OSSEC, says he has tried 2048).

answered May 13 '12 at 19:14

Bill Weiss

10,782
3
37
65

OSSEC large scale deployment

2 Answers2