On 12/17/2010 05:10 PM, dan (ddp) wrote:
On Fri, Dec 17, 2010 at 10:55 AM, carlopmart<[email protected]> wrote:
On 12/17/2010 04:32 PM, dan (ddp) wrote:
On Fri, Dec 17, 2010 at 4:52 AM, carlopmart<[email protected]> wrote:
Hi all,
I have installed two ossec servers to provide HA for several agents.
Using
a software load balancer, this scenario works as I expected. But I have a
problem with six servers (all linux based) that resides on the same OSSEC
servers subnet.
I can't use a load balancer in this subnet. Then,
a) Is it possible to configure at some place on the host agent side how
long logs should be kept locally??
No. Well nothing in OSSEC. The system logs will last as long as the
system is configured to store them.
Uhmmm ... I have do it a test. I have stopped ossec server. Then, I launch
ssh session to a server with an ossec agent installed. I have put a wrong
password. After, 5 min I started ossec server and ossec agent doesn't
forward this alarm ... Are you sure that if ossec server is stopped, ossec
agent stores logs and alarms until ossec server returns??
I said the system stores the log. The error will be in your system logs.
I thought the agents did a limited amount of caching when they weren't
connected to the manager, but I haven't played around with it.
This is a problem ... Somebody knows if this funcionality will be on a next
release??
--
CL Martinez
carlopmart {at} gmail {d0t} com
