Re: [ossec-list] Ossec agent logs to two ossec server's / sensors

2018-07-11 Thread dan (ddp) 
On Tue, Jul 10, 2018 at 12:24 AM, Shaikh S.  wrote:
> Hello Dan,
>
> Thanks for your reply!!!
>
> Can you please tell me how I can configure it for failover.
>

I've never done it, so this is mostly a guess:

Create a second OSSEC manager.
Copy the client.keys file from the original manager to the new one.
Turn off the rids functionality on the servers and agents.
Add another  entry to the agents' ossec.conf files.

> Thanks !!!
>
> On Friday, July 6, 2018 at 5:41:43 PM UTC+5:30, dan (ddpbsd) wrote:
>>
>> On Fri, Jul 6, 2018 at 3:43 AM, Shaikh S.  wrote:
>> > Hello Folks,
>> >
>> > Hope you're doing well.
>> >
>> > Is it possible to configure ossec agent to send the logs to two
>> > different
>> > server's. for example if the DC ossec server get's down, is it possible
>> > to
>> > forward the same agent logs to other DR ossec server.
>> > (Active / Passive monitoring )
>> >
>>
>> You can't send to both at the same time, but an agent will failover to
>> a second server after a while (30 minutes?).
>> I'm hoping the virgil security noisesocket work helps with this.
>>
>> > Any help will be greatful.
>> >
>> > Thanks in advance !!!
>> >
>> >
>> > Regards,
>> > Shaikh S.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Delete ossec-remoted processes

2018-07-11 Thread dan (ddp) 
On Mon, Jul 9, 2018 at 1:30 AM, Chinmay Pandya
 wrote:
> I do no see any info on ossec logs that suggest remoted is crashing.
>
> any way i can confirm this ?
>

When ossec-remoted starts it logs to the ossec.log. Look for entries like this:
2018/07/11 10:49:34 ossec-remoted: INFO: Started (pid: 23255).

I'm not sure why you'd get stale pid files if the process isn't restarting.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.