yeah - basically if I stop the client and the new server, remove rids from both, and restart them it all picks up from there
I was just wondering if anybody had any actual expericnce of migrating a ossec hids server and if theyd come up with anything a little more bullet proof. Ive already sold the fact that we don't appear to be able to not lose possible alerts albeit for a very short time. Because apart form anything else there is no second server that can stay up. didds On 21 December 2017 at 13:03, dan (ddp) <[email protected]> wrote: > On Fri, Dec 15, 2017 at 11:12 AM, 'ian diddams' via ossec-list > <[email protected]> wrote: > > Having googled I can see there are other siimilar queries to mine, but I > > have one issue that the others haven;t addressed. > > > > We run a Ossec-Hids server, as part of various SLAs and accreditations. > It > > is basically a 24 x7, always on system etc. Ive inherirted the admin of > it > > - deep joy. > > > > We have to migrate it because its sitting on a very old centos 5 server - > > all part of security vulnerabilities updates > > > > > > All is fine to install on the new server (S2) including copying > > /var/ossec/etc and rules and queues from the old server (S1). > > > > If i run manage_agents -l I can see that S2 knows all about all the > client . > > > > The issue comes in getting the clients to happily an easily use S2. > > > > If I update the server Ip and retart the client - it won;t connect. The > > solution seems to be to stop server and client, remove queue/rids<agent > > number> and restart server then client and away it goes. > > > > the problem of course being... now we have potentially lost data from > the > > client during the switch, and any other working clients while the server > is > > down.. > > > > I also found a suggestion that several listed servers in a clients config > > were used in a list-down manner ... the top ost working server was the > one > > that was used and the lower ones ignored until the upper servers were not > > available. But I dunno if that is what actually happens. > > > > Has anyone a simple minimal loss of data migration guide by any chance? > > pretty please? > > > > If you turn off the replay protection feature or delete the rids files > from the new server before moving the agent to it, does the agent > connect immediately? > > > ta > > > > ian > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/ossec-list/1T4_LtbbaKE/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
