Hi Tim, They will continue forever :) Basically, we don't queue the logs in memory, but we just store the location (pointer) of the last log that was read (and for integrity checking, the last file checked). When the server is back, we continue where we left...
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/20/07, Tim Slighter <[EMAIL PROTECTED]> wrote: > I would be interested in knowing just how long (time or in terms of amount > of data in queue) the agents will continue to queue up while the OSSEC > server is down. > > > On 9/20/07, David Williams <[EMAIL PROTECTED]> wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > John, > > My understanding and experience of the architecture is that the > > server does all the checking and alerting. The clients pass along > > to the server what might be "interesting" information: log entries > > and file metadata. The server decides what of the information is > > important enough to alert about. > > So while the server is down, the agents will continue to queue up > > "interesting" information. When the server comes back on-line, the > > agents send their information to server and it decides what to send > > out alerts (or active responses) about. > > So the agents will continue to check the metadata about their > files > > - -- but the server holds the file integrity database for the agents. > > The agents don't know if a file has changed or not, the server > > determines that. Once the server is back, it will compare the > > information the agents send about files with the database to > > determine what has changed. > > I hope that helps, > > -David > > > > Verlag Neue Stadt wrote: > > > Hello, > > > > > > we are contemplaing about using OSSEC and would like to know: > > > > > > What happend if the OSSec server is down, are the clients able > > > to continue to check the integrity of the client/agent? > > > > > > > > > > > > Thank's a lot for any feedback! > > > > > > John > > > > > > > > > > > > > > > > > > > - -- > > _______________________________________________ > > GPG (http://www.gnupg.org/) key available from: > > http://www.kayakero.net/per/david/ > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.7 (GNU/Linux) > > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > > > > iD8DBQFG8o29CzuSgviBh00RApIYAJ95iNz04nyda/sA2Ly9RnZZkHjDSgCgjucY > > 8vTKcFmmp1zrHPO+wUrTUqY= > > =uadi > > -----END PGP SIGNATURE----- > > > >
