I would be interested in knowing just how long (time or in terms of amount of data in queue) the agents will continue to queue up while the OSSEC server is down.
On 9/20/07, David Williams <[EMAIL PROTECTED]> wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > John, > My understanding and experience of the architecture is that the > server does all the checking and alerting. The clients pass along > to the server what might be "interesting" information: log entries > and file metadata. The server decides what of the information is > important enough to alert about. > So while the server is down, the agents will continue to queue up > "interesting" information. When the server comes back on-line, the > agents send their information to server and it decides what to send > out alerts (or active responses) about. > So the agents will continue to check the metadata about their > files > - -- but the server holds the file integrity database for the agents. > The agents don't know if a file has changed or not, the server > determines that. Once the server is back, it will compare the > information the agents send about files with the database to > determine what has changed. > I hope that helps, > -David > > Verlag Neue Stadt wrote: > > Hello, > > > > we are contemplaing about using OSSEC and would like to know: > > > > What happend if the OSSec server is down, are the clients able > > to continue to check the integrity of the client/agent? > > > > > > > > Thank's a lot for any feedback! > > > > John > > > > > > > > > > > > - -- > _______________________________________________ > GPG (http://www.gnupg.org/) key available from: > http://www.kayakero.net/per/david/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.7 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFG8o29CzuSgviBh00RApIYAJ95iNz04nyda/sA2Ly9RnZZkHjDSgCgjucY > 8vTKcFmmp1zrHPO+wUrTUqY= > =uadi > -----END PGP SIGNATURE----- >
