RIDS and Sync Issues

[Winn Johnston]

I would like to talk about what it takes to keep the RIDS in sync. Disabling this is not an option for us. We have multiple managers, some in the network, some outside in the DMZ. I need a way to sync the RIDS so we stop getting the duplicate key error messages.

Any ideas? How have people in the past addressed this issue?

Thanks

-winn

[Graeme Stewart]

I'm very interesting in this also. 

I know we can disable RIDS checking by setting:

# Verify msg id (set to 0 to disable it)
remoted.verify_msg_id=0

within: local_internal_options.conf

...but I'm unlcear if the clients still check RIDS values from the server.

[Saulius Pabarska]

I accidentally  deleted rids from server, and then got duplicate errors in client log.

So i made powershell script, which connects to the client computers, stops ossec service, deletes files from client rids directory, and starts the ossec service.

After that, i deleted rids from ossec server queue\rids folder one more time , restarted ossec services on the server, and all the clients synched suscessfully.