I have not too much experience on this, but why just dont install ossec on a separate partition that is mirrored by a software raid that works over a network?
On Sunday, September 16, 2012 1:30:36 AM UTC-5, SUMANT wrote: > > Hi All, > > We have two ossec servers, one primary and other standby (ossec version > 2.0). Now in case our primary server stops functioning, what should we do > to send all the logs from agents to secondary server. > > What we have done: > > Copied client.keys file from primary server to secondary server. > copied /var/ossec/queue/rids directory from primary to secondary server. > changed the ip address of secondary to that of primary after taking > primary out of network (so that there is no ip address conflict). > > But after doing all this, we are not receiving logs on the new primary > server. > We have checked that in ossec v2.6, there is an option " > remoted.verify_msg_id" to make all this working, is there any option in > ossec v2.0 to make this failover process feasible. > > Also, when we removed the file of one agent from rids directory and clear > the counter of one agent, logs from that agent starts coming to new ossec > server. But this is a difficult task in large ossec deployments. > > Please share your views and help us to resolve the issue. > > Regards, > Sumant > > > > >
