On Wed, Jun 27, 2012 at 9:17 AM, anonymous <[email protected]> wrote: > Dan, > > Thanks for the breakdown and quick response. The server IP will definitely > change - since they're using centralized config all I'd need to do on the > agents is replace the <server> element in the agent's local ossec.conf > right? (for ease of migration I'm thinking I'll just create a new ossec.conf > containing the correct server IP and then drop it onto all of the agents). >
That should work. Again, I've never tried any of this. It's worked for others on the list though. > Also, is it absolutely necessary to kill all of the processes on the agents > before the switch and then restart them after the switch? I think they have > 50 or 60 windows boxes and I'm trying to streamline if at all possible. > Would it be ok to just drop the ossec.conf file on the agents then after the > new server is up, restart the agent services? (theoretically this would make > them load the new ossec.conf and would save some time...) > No idea. You could try it. If you do, let us know. :) Stopping the processes is the best way to do it. Other ways may work, but I'd be afraid of rids issues. You could turn that off I guess, but it's not something I would want to try. > Your continued response is sincerely appreciated! > > > > > > -----Original Message----- From: dan (ddp) > Sent: Wednesday, June 27, 2012 6:32 AM > To: [email protected] > Subject: Re: [ossec-list] migrating ossec server - work involved? > > > On Wed, Jun 27, 2012 at 2:33 AM, Glenn Roberts <[email protected]> > wrote: >> >> Hello, >> >> My client wants to migrate the ossec manager server from a CentOS box to a >> different CentOS box on a different network. Is there an easy way to do >> this? I’ve setup ossec several times but am weary of migrating due to >> needing to re-authenticate all the agents and any other caveats I may not >> know of lol. Any suggestions, advice, previous experiences would be >> appreciated!! > > > Stop all of the OSSEC processes (agents and server). Install OSSEC on > the new server. Copy configuration files, including client.keys, to > the new server. Copy the rids files over (/var/ossec/queue/rids I > think) to the new server. > > On the agents you'll have to change the server-ip setting if the > server's IP changed (also check for this in the new server's > ossec.conf). If it hasn't changed, I don't think you'll have to do > anything. > > Start the OSSEC processes on the server. Then start the OSSEC > processes on the agents. Cross your fingers. ;) > > Make sure you backup everything you want to keep. This process > "should" work, but can't be guaranteed.
