Hi Michael, OSSEC does queue the data when it detects that a server goes down (but not in memory).
When it sees that the server didn't respond to the keep alive message, it will stop all processing, including reading the logs, integrity checking, etc. When the server comes back up, it will continue where it left. So, you do not lose the messages that happened during the offline period. Even if the log file is deleted (or rotated), the content will still be accessible and forwarded to the manager (because we have it opened, keeping the original inode). Thanks, *thats what you should see when the server is down (that lock is what tells you that it stopped processing): "2009/07/31 22:44:31 ossec-agentd: WARN: Server unavailable. Setting lock. 2009/07/31 22:44:52 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'a.b.c.d'. " -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Jul 28, 2009 at 2:07 PM, Michael Altfield<[email protected]> wrote: > > Hello all, > > I've been playing with OSSEC for several weeks now, and I absolutely > love this product. IMHO, it's by far the best FOSS HIDS on the market > with a wonderful user and developer community. > > I'd like to utilize OSSEC in our corporate production environment, but > the biggest problem I've found with it is that the agents don't appear > to queue their alerts in memory. The issue being: if the OSSEC server > is down or there is a temporary network issue, the alerts produced by > the agent will be lost. This functionality would be unacceptable to > most compliance standards (namely the PCI DSS). > > Is there any way to ensure that all alerts sent from OSSEC hosts to > the OSSEC server are successfully received by the OSSEC server--and to > hold onto those alerts that were not received successfully for re- > sending? > > > Thank you, > Michael Altfield >
