On Tue, Sep 9, 2014 at 10:18 AM, ash kumar <[email protected]> wrote: > Thanks Dan, I will play around and see where it goes. >
Feel free to pass any notes you end up with to me. I can try to work something into the documentation. > On Wednesday, September 3, 2014 5:30:11 PM UTC-4, dan (ddpbsd) wrote: >> >> >> On Sep 3, 2014 5:25 PM, "ash kumar" <[email protected]> wrote: >> > >> > Dan, >> > >> > That is intriguing. >> > >> > How do you configure the client to detect the server availability status >> > and sent to the standby? Can you specify multiple server-ip configurations, >> > in which case there would be duplicate alerts? >> > >> >> Since I don't do any of this, it's mostly speculation. The agent and >> manager communicate, and when they get no responses for a period of time the >> agent will move on to the next one and the manager will report the agent as >> disconnected. >> I do not believe there is a way to configure duplication of managers. >> >> > Pardon if these questions sound silly. I just have not come across any >> > documentation of a HA configuration. >> > >> >> Play around with it, learn it, write that missing documentation. >> >> > Thanks >> > >> > Ash >> > >> > >> > >> > On Tuesday, September 2, 2014 7:51:59 AM UTC-4, dan (ddpbsd) wrote: >> >> >> >> On Tue, Sep 2, 2014 at 7:51 AM, dan (ddp) <[email protected]> wrote: >> >> > On Fri, Aug 29, 2014 at 4:52 PM, theresa mic-snare >> >> > <[email protected]> wrote: >> >> >> thanks ricardo and dan, >> >> >> >> >> >> i was wondering the very same thing. >> >> >> >> >> >> @dan: what do you mean by "rids" checks in particular? >> >> >> >> >> > >> >> > The rids thing is how OSSEC tries to stop replay attacks. There's a >> >> > number stores on the manager that increments with every message. If >> >> > the message sent by the agent has a lower value than the one stores >> >> > on >> >> > the manager, the message is rejected. >> >> > There's a way to turn off this check, but I can't remember how off >> >> > hand. Hopefully it's documented. Maybe it's this: >> >> > >> >> > http://ossec-docs.readthedocs.org/en/latest/syntax/head_internal_options.analysisd.html#intopt-remoted.verify_msg_id >> >> > >> >> >> >> Oh yeah, if they get out of sync there could be issues. So turning it >> >> off seems like the easiest solution. >> >> >> >> >> Am Freitag, 29. August 2014 20:48:56 UTC+2 schrieb dan (ddpbsd): >> >> >>> >> >> >>> On Fri, Aug 29, 2014 at 2:43 AM, <[email protected]> wrote: >> >> >>> > Dear all, >> >> >>> > >> >> >>> > I have a Ossec manager and some agents, and I would like to add a >> >> >>> > second >> >> >>> > manager in active-standby or active-active mode. >> >> >>> > Is possible to configure high availability in Ossec? Is there any >> >> >>> > documentation about it? I'm not able to find it. >> >> >>> > >> >> >>> > Thanks in advance >> >> >>> > >> >> >>> >> >> >>> Setup a second server, add the client.keys files from the first. >> >> >>> Turn >> >> >>> off the rids checks, and add the IP to the agents. >> >> >>> >> >> >>> > Ricardo >> >> >>> > >> >> >>> > -- >> >> >>> > >> >> >>> > --- >> >> >>> > You received this message because you are subscribed to the >> >> >>> > Google >> >> >>> > Groups >> >> >>> > "ossec-list" group. >> >> >>> > To unsubscribe from this group and stop receiving emails from it, >> >> >>> > send >> >> >>> > an >> >> >>> > email to [email protected]. >> >> >>> > For more options, visit https://groups.google.com/d/optout. >> >> >> >> >> >> -- >> >> >> >> >> >> --- >> >> >> You received this message because you are subscribed to the Google >> >> >> Groups >> >> >> "ossec-list" group. >> >> >> To unsubscribe from this group and stop receiving emails from it, >> >> >> send an >> >> >> email to [email protected]. >> >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
