Migrating ossec-hids server
64 views
Skip to first unread message
ian diddams
Dec 15, 2017, 11:12:50 AM12/15/17
to ossec-list
Having googled I can see there are other siimilar queries to mine, but I have one issue that the others haven;t addressed.
We run a Ossec-Hids server, as part of various SLAs and accreditations. It is basically a 24 x7, always on system etc. Ive inherirted the admin of it - deep joy.
We have to migrate it because its sitting on a very old centos 5 server - all part of security vulnerabilities updates
All is fine to install on the new server (S2) including copying /var/ossec/etc and rules and queues from the old server (S1).
If i run manage_agents -l I can see that S2 knows all about all the client .
The issue comes in getting the clients to happily an easily use S2.
If I update the server Ip and retart the client - it won;t connect. The solution seems to be to stop server and client, remove queue/rids<agent number> and restart server then client and away it goes.
the problem of course being... now we have potentially lost data from the client during the switch, and any other working clients while the server is down..
I also found a suggestion that several listed servers in a clients config were used in a list-down manner ... the top ost working server was the one that was used and the lower ones ignored until the upper servers were not available. But I dunno if that is what actually happens.
Has anyone a simple minimal loss of data migration guide by any chance? pretty please?
ta
ian
We run a Ossec-Hids server, as part of various SLAs and accreditations. It is basically a 24 x7, always on system etc. Ive inherirted the admin of it - deep joy.
We have to migrate it because its sitting on a very old centos 5 server - all part of security vulnerabilities updates
All is fine to install on the new server (S2) including copying /var/ossec/etc and rules and queues from the old server (S1).
If i run manage_agents -l I can see that S2 knows all about all the client .
The issue comes in getting the clients to happily an easily use S2.
If I update the server Ip and retart the client - it won;t connect. The solution seems to be to stop server and client, remove queue/rids<agent number> and restart server then client and away it goes.
the problem of course being... now we have potentially lost data from the client during the switch, and any other working clients while the server is down..
I also found a suggestion that several listed servers in a clients config were used in a list-down manner ... the top ost working server was the one that was used and the lower ones ignored until the upper servers were not available. But I dunno if that is what actually happens.
Has anyone a simple minimal loss of data migration guide by any chance? pretty please?
ta
ian
dan (ddp)
Dec 21, 2017, 8:03:44 AM12/21/17
to ossec...@googlegroups.com
from the new server before moving the agent to it, does the agent
connect immediately?
> ta
>
> ian
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
ian diddams
Dec 21, 2017, 8:13:13 AM12/21/17
to ossec...@googlegroups.com
yeah - basically if I stop the client and the new server, remove rids from both, and restart them it all picks up from there
I was just wondering if anybody had any actual expericnce of migrating a ossec hids server and if theyd come up with anything a little more bullet proof.
Ive already sold the fact that we don't appear to be able to not lose possible alerts albeit for a very short time. Because apart form anything else there is no second server that can stay up.
Ive already sold the fact that we don't appear to be able to not lose possible alerts albeit for a very short time. Because apart form anything else there is no second server that can stay up.
didds
> email to ossec-list+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/1T4_LtbbaKE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages