OSSEC large scale deployment

We have a data-center and as a happy OSSEC user I am trying to convince my management to use it for host intrusion detection. However I have never deployed it on more than a handful of servers and I am not sure if it does scale.

Anyone has deployed OSSEC on a large scale (say 500+ servers) ? Does it scale ?

I help manage an existing deployment of 3300+ agents using a single OSSEC server that generates ~300k alerts every 24 hours.

From the OSSEC newsgroup and from direct communications I know of several OSSEC installations that go well beyond 6000 agents (typically configured using multiple OSSEC servers).

Things that we did that helped:

• use ossec-authd http://www.ossec.net/doc/programs/ossec-authd.html
• increase maximum # of agents + system limits (per instructions at the bottom of http://www.ossec.net/doc/faq/unexpected.html#id8)
• modified ./src/addagent/validate.c (line 60, change 4000 to 9000 – to allow more agent IDs)
• use a custom preloaded-vars.conf
• setup binary installation http://www.ossec.net/doc/manual/installation/installation-binary.html
• use puppet to automate installs, agent registration (check out http://projects.puppetlabs.com/projects/1/wiki/OSSEC-HIDS_Patterns)

Discussion on the OSSEC list says that, with a recompile, a server can host tons of agents (the poster there, who I believe is the founder of OSSEC, says he has tried 2048).