Hello, We are currently running an OSSEC pilot in a department at a university . Our environment consists of Mac, RHE, Solaris, SuSE and Windows hosts.
The biggest issue we face in using OSSEC is reinstalling agents because their hosts have had to have their operating systems reinstalled. This happens frequently in our environment. Whenever we try to reinstall the OSSEC agent, getting it to communicate with the server using the same key has been problematic. We have learned how to set up the agent's client.keys file using the entry in the server's client.keys file. However, we are unsure of how to reinitialize the counters for that agent in the agent's /var/ossec/ queue/rids directory and the server's /var/ossec/queue/rids directory. Because of the sheer number of potential agents in our environment we don't want to use manage_agents to remove agents and recreate them in coordination with the reinstallation of the OS on the agent. This results in a new ID and a new key. We would rather use the same ID and key for the agent once the OS has been reinstalled on the agent. Also, using manage_agents is difficult to use in an environment where we currently automate the reinstallation of the OS on the host. We'd like to include the agent reinstallation as part of the automation process. Can anyone explain how the counters work in the /var/ossec/queue/rids directory on both the server and agent? A counter seems to be of the format x:y: where x is something called the global counter and y is something called the local counter (according to the source code). If we reinstall an OSSEC agent, push out the key from the server's client.keys file, what do we do with the counters in the /var/ossec/ queue/rids directory on the server and agent in order to allow them to communicate again? Cheers! Trevor
