Hi all,
recntlly I have update two OSSEC servers to latest version stored in
bitbucket:
DIRECTORY="/var/ossec"
VERSION="v2012-08"
DATE="Sat Aug 25 14:59:49 GMT 2012"
TYPE="server"
After doing this, I have problem with rids in some agents:
2012/08/26 07:53:44 ossec-agentd(1214): WARN: Problem receiving message
from 172.25.50.7.
2012/08/26 07:53:49 ossec-agentd(1214): WARN: Problem receiving message
from 172.25.50.7.
2012/08/26 07:53:55 ossec-agentd(1214): WARN: Problem receiving message
from 172.25.50.7.
2012/08/26 07:53:55 ossec-agentd(4101): WARN: Waiting for server reply
(not started). Tried: '172.25.50.7'.
2012/08/26 07:53:55 ossec-agentd: INFO: Trying next server ip in the
line: '172.26.50.4'.
2012/08/26 07:53:56 ossec-agentd: INFO: Closing connection to server
(172.26.50.4:1514).
2012/08/26 07:53:56 ossec-agentd: INFO: Trying to connect to server
(172.26.50.4:1514).
2012/08/26 07:53:56 ossec-agentd: INFO: Using IPv4 for: 172.26.50.4 .
2012/08/26 07:54:03 ossec-agentd(4102): INFO: Connected to the server
(172.26.50.4:1514).
Problem is fixed removing rids from this agent in 172.25.50.7 server.
In both OSSEC servers i have disabled rids check with this option:
remoted.verify_msg_id=0
Could be possible to implement some type of sync for rids in new OSSEC
version?? For example, configuring in ossec serverA:
<ha-server>
<slave_server>B.B.B.B</slave_server>
<sync_rids_allowed>yes</sync_rids_allowed>
<bi-directional_sync_rids>yes</bi-directional_sync_rids>
</ha-server>
and in on serverB:
<ha-server>
<master_server>A.A.A.A</slave_server>
<sync_rids_allowed>yes</sync_rids_allowed>
<bi-directional_sync_rids>yes</bi-directional_sync_rids>
</ha-server>
This approach it could be usefull to sync for example, local_decoder.xml
or rules.
--
CL Martinez
carlopmart {at} gmail {d0t} com
