Hello,
Thank you so much Dan, I'll try this.
Best Regards,
Shaikh S.
>
> I've never done it, so this is mostly a guess:
>
> Create a second OSSEC manager.
> Copy the client.keys file from the original manager to the new one.
> Turn off the rids functionality on the servers and agents.
>
I made sure today that when I restarted the OSSEC server, all processes had
exited ( ps ax | grep ossec ) before restarting. I again triggered a scan,
and watched the flood of error 2502 emails coming in:
Received From: db01.domain.com->/var/log/secure
Rule: 2502 fired (level 10) -> "User missed
Here are my logs after restarting ossec. I do not see any remoted error but
still got stall entries
root@ossec-1000:/ossec-server# grep remoted logs/ossec.log
2018/07/13 05:30:37 ossec-remoted: INFO: Started (pid: 4785).
2018/07/13 05:30:37 ossec-remoted: Remote syslog allowed from: '127.0.0.1'
2