On Fri, Dec 15, 2017 at 11:12 AM, 'ian diddams' via ossec-list <[email protected]> wrote: > Having googled I can see there are other siimilar queries to mine, but I > have one issue that the others haven;t addressed. > > We run a Ossec-Hids server, as part of various SLAs and accreditations. It > is basically a 24 x7, always on system etc. Ive inherirted the admin of it > - deep joy. > > We have to migrate it because its sitting on a very old centos 5 server - > all part of security vulnerabilities updates > > > All is fine to install on the new server (S2) including copying > /var/ossec/etc and rules and queues from the old server (S1). > > If i run manage_agents -l I can see that S2 knows all about all the client . > > The issue comes in getting the clients to happily an easily use S2. > > If I update the server Ip and retart the client - it won;t connect. The > solution seems to be to stop server and client, remove queue/rids<agent > number> and restart server then client and away it goes. > > the problem of course being... now we have potentially lost data from the > client during the switch, and any other working clients while the server is > down.. > > I also found a suggestion that several listed servers in a clients config > were used in a list-down manner ... the top ost working server was the one > that was used and the lower ones ignored until the upper servers were not > available. But I dunno if that is what actually happens. > > Has anyone a simple minimal loss of data migration guide by any chance? > pretty please? >
If you turn off the replay protection feature or delete the rids files from the new server before moving the agent to it, does the agent connect immediately? > ta > > ian > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
