OSSEC manager redundancy
257 views
Skip to first unread message
Michiel van Es
Oct 31, 2013, 10:19:40 AM10/31/13
to ossec...@googlegroups.com
Hello,
I am planning to setup OSSEC 2.7 for my company for about 500+ servers and some appliances.
It will be running on Red Hat 5 + 6 agents mainly.
There is a company policy that one server is the same a no server at all (redundancy is a must in my company).
Is it possible to create a redundant setup of 2 OSSEC managers, having the port 1514 UDP load balanced and both servers store their entries and databases/keys on a NAS or single (redundant) storage platform?
Has aynone else created such a setup?
I want to use rsync/bash scripting as less as possible to make the setup easy to maintain :)
Michiel
Michiel van Es
Nov 1, 2013, 5:35:34 AM11/1/13
to ossec...@googlegroups.com
The probems I see with a load balanced setup:
- agents must understand a roundrobin/sticky load balancer setup with 2 OSSEC managers
- OSSEC managers must share their client keys
- Both OSSEC managers must supply their logfiles to 1 dashboard (Splunk or Kibana).
I hope these things are easy to overcome?
Any pointers or help would be usefull.
Michiel
Op donderdag 31 oktober 2013 15:19:40 UTC+1 schreef Michiel van Es:
- agents must understand a roundrobin/sticky load balancer setup with 2 OSSEC managers
- OSSEC managers must share their client keys
- Both OSSEC managers must supply their logfiles to 1 dashboard (Splunk or Kibana).
I hope these things are easy to overcome?
Any pointers or help would be usefull.
Michiel
Op donderdag 31 oktober 2013 15:19:40 UTC+1 schreef Michiel van Es:
Chris H
Nov 1, 2013, 6:23:55 AM11/1/13
to ossec...@googlegroups.com
Hi Michiel. Do you have any current load-balancers that you could set up a Virtual IP on, and point the agents to the VIP? Or use something like heartbeat?
I'm not sure how you'd sync the config, maybe store them on a mount from a SAN or even something like rsync to keep the secondary server up to date?
Chris
I'm not sure how you'd sync the config, maybe store them on a mount from a SAN or even something like rsync to keep the secondary server up to date?
Chris
Michiel van Es
Nov 1, 2013, 10:35:45 AM11/1/13
to ossec...@googlegroups.com
Hi Chris,
I am not worried about the loadbalancer with a virtual ip, we'll use F5's for that matter or heartbeat.--
---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/Te19hMcUCYo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Juan Berner
Nov 14, 2013, 9:57:35 AM11/14/13
to ossec...@googlegroups.com
Hi Michel,
Were you able to implement ossec as a cluster service?
Im looking for a similar solution.
Thanks,
Juan
Michiel van Es
Nov 15, 2013, 2:23:55 AM11/15/13
to ossec...@googlegroups.com
Hi Juan, I am affraid not completely.
You can distribute the /var/ossec/etc dir from NFS or such but load balancing UDP with SSL traffic is not working 100% for me right now.- make sure the return traffic works flawless
Hope this helps a bit.
Michiel
Hope this helps a bit.
Michiel
Reply all
Reply to author
Forward
0 new messages