Hi All, Can any one describe the complete procedures of backup OSSEC server and OSSEC agent files upon server and agent update with new OSSEC release. So with new release, after backup done, we only need update the server and the agents, but do not need to remove/add agents back, and no need to extract and import the encryption keys.
The following is what I have observed when trying to re-install agent ( without changeing the server) I have saved the client.keys before I re-install OSSEC agent. ( I did not touch server side, the agent already added to the server before, and key imported. 1. After I re-installed the agent again, the agent failed to start and saw the following error on the screen: 2008/10/24 11:24:56 ossec-syscheckd(1210): ERROR: Queue '/opt/mcp/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2008/10/24 11:24:56 ossec-rootcheck(1210): ERROR: Queue '/opt/mcp/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2008/10/24 11:25:04 ossec-syscheckd(1210): ERROR: Queue '/opt/mcp/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2008/10/24 11:25:04 ossec-rootcheck(1210): ERROR: Queue '/opt/mcp/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2008/10/24 11:25:17 ossec-syscheckd(1210): ERROR: Queue '/opt/mcp/ossec/queue/ossec/queue' not accessible: 'Connection refused'. 2008/10/24 11:25:17 ossec-rootcheck(1211): ERROR: Unable to access queue: '/opt/mcp/ossec/queue/ossec/queue'. Giving up.. 2. Restart the server, then restart the agent, saw the same problem. 3. extract the key from the server import the key for the client start the agent again, failed again, ( agent can not start, same error) 4. Remove the agent from the server add the agent from the server extract the key from the agent import the key for the agent start the agent, failed again 6.Then remove the file ossec/etc/client.keys import the key for agent again start the agent The above ERROR is gone, process started, but still have problem to connect The ossec.log file on the server showing the following: 2008/10/24 11:33:27 ossec-remoted(1403): ERROR: Incorrectly formated message from '1.2.3.4'. 2008/10/24 11:33:33 ossec-remoted(1403): ERROR: Incorrectly formated message from '1.2.3.4'. 2008/10/24 11:33:37 ossec-remoted(1403): ERROR: Incorrectly formated message from '1.2.3.4'. 7. stop agent stop server start server start agent Finally agent connect to server --- On Tue, 10/28/08, Daniel Cid <[EMAIL PROTECTED]> wrote: > From: Daniel Cid <[EMAIL PROTECTED]> > Subject: [ossec-list] Re: question on server backups > To: [email protected] > Date: Tuesday, October 28, 2008, 2:24 PM > Hi Aaron, > > These are some of the main files/directories that ossec > uses: > > /var/ossec/etc (has your configuration, decoders, etc) > /var/ossec/etc/client.keys (has the authentication keys) > /var/ossec/rules (all your rules) > /var/ossec/queue/rids (you need to keep this directory if > you want to > reuse the auth keys) > /var/ossec/queue (if you want to keep the integrity > checking, > rootcheck, fts, etc databases) > /var/ossec/logs (all the alerts). > > > In your case, you would want /var/ossec/etc/client.keys and > /var/ossec/queue/rids. This would allow > the agents to reconnect without re-establishing all the > keys... > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > > On Sat, Oct 25, 2008 at 10:20 AM, Aaron Bliss > <[EMAIL PROTECTED]> wrote: > > Hi all, > > I'm running ossec 1.6 with ~75 agents. I would > like to know what needs to > > be backed up on the ossec server to ensure that if I > had to recover the box, > > that I would be able to get the server up and running > again without having > > to visit each client. I'm not too concerned about > loosing historic events > > and logs, but just the server configuration and agent > key database/list > > file. Thanks for your help. > > > > Aaron > >
