Just saw this thread and wish to add my 2 cents: - Syscheck: there is a state that is in both memory and file system regarding the agents that finished creating the initial baseline and are ready. I suspect it might not trigger FIM alerts for new agents. - Complex events (correlation). I'm not sure here but think there might be some state in the servers' memory. Does anyone have idea on that? - Rids - as Michael said, it would be best to get rid of the rids check in this setup.
Cheers, Roy Anyway, if you have the opportunity to use some stickiness / consistent hashing so each client would be served by the same server, it would probably solve all of that. On Thursday, November 14, 2013 7:55:11 AM UTC-8, Juan Berner wrote: > > Hi, I have 5 servers sharing the same NFS folder for /var/ossec, and it > seems to be working. I've inherited this architecture. > > Right now, we have about 3000 clients that connect to an F5 vip, and then > each client reports to this VIP. In the vip are 5 servers sharing the same > /var/ossec nfs folder. > > My question is, does this architecture work? I mean, Im having issues with > some clients not connecting and I'm not sure that the correlation would > work properly, it depends if all the ossec correlation reads always from > disk and does not save information to memory. > > This is a good setup to have HA. > > Thanks! > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
