Thanks Dan, I will play around and see where it goes. On Wednesday, September 3, 2014 5:30:11 PM UTC-4, dan (ddpbsd) wrote: > > > On Sep 3, 2014 5:25 PM, "ash kumar" <[email protected] <javascript:>> > wrote: > > > > Dan, > > > > That is intriguing. > > > > How do you configure the client to detect the server availability status > and sent to the standby? Can you specify multiple server-ip configurations, > in which case there would be duplicate alerts? > > > > Since I don't do any of this, it's mostly speculation. The agent and > manager communicate, and when they get no responses for a period of time > the agent will move on to the next one and the manager will report the > agent as disconnected. > I do not believe there is a way to configure duplication of managers. > > > Pardon if these questions sound silly. I just have not come across any > documentation of a HA configuration. > > > > Play around with it, learn it, write that missing documentation. > > > Thanks > > > > Ash > > > > > > > > On Tuesday, September 2, 2014 7:51:59 AM UTC-4, dan (ddpbsd) wrote: > >> > >> On Tue, Sep 2, 2014 at 7:51 AM, dan (ddp) <[email protected]> wrote: > >> > On Fri, Aug 29, 2014 at 4:52 PM, theresa mic-snare > >> > <[email protected]> wrote: > >> >> thanks ricardo and dan, > >> >> > >> >> i was wondering the very same thing. > >> >> > >> >> @dan: what do you mean by "rids" checks in particular? > >> >> > >> > > >> > The rids thing is how OSSEC tries to stop replay attacks. There's a > >> > number stores on the manager that increments with every message. If > >> > the message sent by the agent has a lower value than the one stores > on > >> > the manager, the message is rejected. > >> > There's a way to turn off this check, but I can't remember how off > >> > hand. Hopefully it's documented. Maybe it's this: > >> > > http://ossec-docs.readthedocs.org/en/latest/syntax/head_internal_options.analysisd.html#intopt-remoted.verify_msg_id > > >> > > >> > >> Oh yeah, if they get out of sync there could be issues. So turning it > >> off seems like the easiest solution. > >> > >> >> Am Freitag, 29. August 2014 20:48:56 UTC+2 schrieb dan (ddpbsd): > >> >>> > >> >>> On Fri, Aug 29, 2014 at 2:43 AM, <[email protected]> wrote: > >> >>> > Dear all, > >> >>> > > >> >>> > I have a Ossec manager and some agents, and I would like to add a > second > >> >>> > manager in active-standby or active-active mode. > >> >>> > Is possible to configure high availability in Ossec? Is there any > >> >>> > documentation about it? I'm not able to find it. > >> >>> > > >> >>> > Thanks in advance > >> >>> > > >> >>> > >> >>> Setup a second server, add the client.keys files from the first. > Turn > >> >>> off the rids checks, and add the IP to the agents. > >> >>> > >> >>> > Ricardo > >> >>> > > >> >>> > -- > >> >>> > > >> >>> > --- > >> >>> > You received this message because you are subscribed to the > Google > >> >>> > Groups > >> >>> > "ossec-list" group. > >> >>> > To unsubscribe from this group and stop receiving emails from it, > send > >> >>> > an > >> >>> > email to [email protected]. > >> >>> > For more options, visit https://groups.google.com/d/optout. > >> >> > >> >> -- > >> >> > >> >> --- > >> >> You received this message because you are subscribed to the Google > Groups > >> >> "ossec-list" group. > >> >> To unsubscribe from this group and stop receiving emails from it, > send an > >> >> email to [email protected]. > >> >> For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
