Hi Aaron, These are some of the main files/directories that ossec uses:
/var/ossec/etc (has your configuration, decoders, etc) /var/ossec/etc/client.keys (has the authentication keys) /var/ossec/rules (all your rules) /var/ossec/queue/rids (you need to keep this directory if you want to reuse the auth keys) /var/ossec/queue (if you want to keep the integrity checking, rootcheck, fts, etc databases) /var/ossec/logs (all the alerts). In your case, you would want /var/ossec/etc/client.keys and /var/ossec/queue/rids. This would allow the agents to reconnect without re-establishing all the keys... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Sat, Oct 25, 2008 at 10:20 AM, Aaron Bliss <[EMAIL PROTECTED]> wrote: > Hi all, > I'm running ossec 1.6 with ~75 agents. I would like to know what needs to > be backed up on the ossec server to ensure that if I had to recover the box, > that I would be able to get the server up and running again without having > to visit each client. I'm not too concerned about loosing historic events > and logs, but just the server configuration and agent key database/list > file. Thanks for your help. > > Aaron >
