On Wed, Oct 31, 2012 at 5:36 PM, Michael Namaiandeh <[email protected]> wrote: > Hi OSSEC community, > > > > I would like to re-install my OSSEC server to a new box but I’m not sure > what to backup from the existing install. I want to make sure that my > clients machines will still be able to send emails through the OSSEC server. > Any help would be greatly appreciated. Thanks. > > > > -Mike
Agents do not send emails, only the server. Backup your configurations (/var/ossec/etc/ossec.conf, /var/ossec/etc/internal_options.conf), any customizations (/var/ossec/etc/local_decoder.xml, /var/ossec/etc/shared/agent.conf), and any rules (/var/ossec/rules/*_rules.xml). You may also want the client.keys (/var/ossec/etc/client.keys), and rids files (stop the OSSEC processes first! /var/ossec/queue/rids). If you created custom active responses copy those (/var/ossec/etc/active-response/bin/*), if you have custom agentless scripts copy those. If you don't just do a new install on the new server, copy the ossec-init.conf as well (/etc/ossec-init.conf). I can't think of anything else off hand.
