Old thread. Did it end up working out? We're having trouble with the sockets being on NFS even just restarting ossec on the same host (let alone on 5).
On Tuesday, June 24, 2014 at 6:17:52 PM UTC+2, Roy Feintuch wrote: > > Just saw this thread and wish to add my 2 cents: > - Syscheck: there is a state that is in both memory and file system > regarding the agents that finished creating the initial baseline and are > ready. I suspect it might not trigger FIM alerts for new agents. > - Complex events (correlation). I'm not sure here but think there might be > some state in the servers' memory. Does anyone have idea on that? > - Rids - as Michael said, it would be best to get rid of the rids check in > this setup. > > Cheers, > Roy > > > Anyway, if you have the opportunity to use some stickiness / consistent > hashing so each client would be served by the same server, it would > probably solve all of that. > > > > On Thursday, November 14, 2013 7:55:11 AM UTC-8, Juan Berner wrote: >> >> Hi, I have 5 servers sharing the same NFS folder for /var/ossec, and it >> seems to be working. I've inherited this architecture. >> >> Right now, we have about 3000 clients that connect to an F5 vip, and then >> each client reports to this VIP. In the vip are 5 servers sharing the same >> /var/ossec nfs folder. >> >> My question is, does this architecture work? I mean, Im having issues >> with some clients not connecting and I'm not sure that the correlation >> would work properly, it depends if all the ossec correlation reads always >> from disk and does not save information to memory. >> >> This is a good setup to have HA. >> >> Thanks! >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
