Hi All, We have two ossec servers, one primary and other standby (ossec version 2.0). Now in case our primary server stops functioning, what should we do to send all the logs from agents to secondary server.
What we have done: Copied client.keys file from primary server to secondary server. copied /var/ossec/queue/rids directory from primary to secondary server. changed the ip address of secondary to that of primary after taking primary out of network (so that there is no ip address conflict). But after doing all this, we are not receiving logs on the new primary server. We have checked that in ossec v2.6, there is an option " remoted.verify_msg_id" to make all this working, is there any option in ossec v2.0 to make this failover process feasible. Also, when we removed the file of one agent from rids directory and clear the counter of one agent, logs from that agent starts coming to new ossec server. But this is a difficult task in large ossec deployments. Please share your views and help us to resolve the issue. Regards, Sumant
