Thank you Victor for the response.
On Thursday, July 28, 2016 at 5:52:54 PM UTC-7, Victor Fernandez wrote: > > Hi Chanti. > > By default, OSSEC doesn't allow to add an agent with a removed agent's ID. > When OSSEC adds a new agent, the information about it is written at > /var/ossec/etc/client.keys. When you remove an agent, the corresponding > line isn't removed but "tainted" with a "!" symbol. > > If you want to reuse the ID but you can't recompile OSSEC, I recommend you > to follow these steps: > > 1. Identify the agents that you want to remove. > 2. Remove them with manage_agents (it comments the line and removes > some more files) > 3. Delete the lines at client.keys referred to the removed agents. > 4. Ensure that these folders have not files about the removed agents: > > > - /var/ossec/queue/rids (files are named with the agent's ID) > - /var/ossec/queue/agent-info (files are named with "name-ip" > - /var/ossec/queue/syscheck, files are named with "(name) > ip->syscheck" > - /var/ossec/queue/rootcheck, the same as syscheck > > I hope it helps. > Kind regards. > > On Thursday, July 28, 2016 at 12:03:34 PM UTC-7, Chanti Naani wrote: >> >> Hi, >> We have a pretty decent implementation of the ossec with max clients set >> to 3000. >> So far we have generated close to 2900 client keys with in the past 1 >> year. >> But at the same time , a lot of people moved out and almost 500 endpoints >> are not in use. >> >> If we delete those 500 endpoints (using /var/ossec/bin/manage_agents -r >> $id) , will we be able to add 500 new clients to the ossec server? >> without re-compiling the ossec authd server with increased set MAX_AGENTS) >> >> we are running: >> >> OSSEC HIDS v2.8 >> >> Thanks. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.