Hi Chanti.
By default, OSSEC doesn't allow to add an agent with a removed agent's ID.
When OSSEC adds a new agent, the information about it is written at
/var/ossec/etc/client.keys. When you remove an agent, the corresponding
line isn't removed but "tainted" with a "!" symbol.
If you want to reuse the ID but you can't recompile OSSEC, I recommend you
to follow these steps:
1. Identify the agents that you want to remove.
2. Remove them with manage_agents (it comments the line and removes some
more files)
3. Delete the lines at client.keys referred to the removed agents.
4. Ensure that these folders have not files about the removed agents:
- /var/ossec/queue/rids (files are named with the agent's ID)
- /var/ossec/queue/agent-info (files are named with "name-ip"
- /var/ossec/queue/syscheck, files are named with "(name)
ip->syscheck"
- /var/ossec/queue/rootcheck, the same as syscheck
I hope it helps.
Kind regards.
On Thursday, July 28, 2016 at 12:03:34 PM UTC-7, Chanti Naani wrote:
>
> Hi,
> We have a pretty decent implementation of the ossec with max clients set
> to 3000.
> So far we have generated close to 2900 client keys with in the past 1
> year.
> But at the same time , a lot of people moved out and almost 500 endpoints
> are not in use.
>
> If we delete those 500 endpoints (using /var/ossec/bin/manage_agents -r
> $id) , will we be able to add 500 new clients to the ossec server?
> without re-compiling the ossec authd server with increased set MAX_AGENTS)
>
> we are running:
>
> OSSEC HIDS v2.8
>
> Thanks.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
