Keys, rids and reinstalling agents
1,359 views
Skip to first unread message
tm
Jun 25, 2009, 12:20:36 PM6/25/09
to ossec-list
Hello,
We are currently running an OSSEC pilot in a department at a
university . Our environment consists of Mac, RHE, Solaris, SuSE and
Windows hosts.
The biggest issue we face in using OSSEC is reinstalling agents
because their hosts have had to have their operating systems
reinstalled. This happens frequently in our environment. Whenever we
try to reinstall the OSSEC agent, getting it to communicate with the
server using the same key has been problematic.
We have learned how to set up the agent's client.keys file using the
entry in the server's client.keys file. However, we are unsure of how
to reinitialize the counters for that agent in the agent's /var/ossec/
queue/rids directory and the server's /var/ossec/queue/rids directory.
Because of the sheer number of potential agents in our environment we
don't want to use manage_agents to remove agents and recreate them in
coordination with the reinstallation of the OS on the agent. This
results in a new ID and a new key. We would rather use the same ID
and key for the agent once the OS has been reinstalled on the agent.
Also, using manage_agents is difficult to use in an environment where
we currently automate the reinstallation of the OS on the host. We'd
like to include the agent reinstallation as part of the automation
process.
Can anyone explain how the counters work in the /var/ossec/queue/rids
directory on both the server and agent? A counter seems to be of the
format x:y: where x is something called the global counter and y is
something called the local counter (according to the source code). If
we reinstall an OSSEC agent, push out the key from the server's
client.keys file, what do we do with the counters in the /var/ossec/
queue/rids directory on the server and agent in order to allow them to
communicate again?
Cheers!
Trevor
We are currently running an OSSEC pilot in a department at a
university . Our environment consists of Mac, RHE, Solaris, SuSE and
Windows hosts.
The biggest issue we face in using OSSEC is reinstalling agents
because their hosts have had to have their operating systems
reinstalled. This happens frequently in our environment. Whenever we
try to reinstall the OSSEC agent, getting it to communicate with the
server using the same key has been problematic.
We have learned how to set up the agent's client.keys file using the
entry in the server's client.keys file. However, we are unsure of how
to reinitialize the counters for that agent in the agent's /var/ossec/
queue/rids directory and the server's /var/ossec/queue/rids directory.
Because of the sheer number of potential agents in our environment we
don't want to use manage_agents to remove agents and recreate them in
coordination with the reinstallation of the OS on the agent. This
results in a new ID and a new key. We would rather use the same ID
and key for the agent once the OS has been reinstalled on the agent.
Also, using manage_agents is difficult to use in an environment where
we currently automate the reinstallation of the OS on the host. We'd
like to include the agent reinstallation as part of the automation
process.
Can anyone explain how the counters work in the /var/ossec/queue/rids
directory on both the server and agent? A counter seems to be of the
format x:y: where x is something called the global counter and y is
something called the local counter (according to the source code). If
we reinstall an OSSEC agent, push out the key from the server's
client.keys file, what do we do with the counters in the /var/ossec/
queue/rids directory on the server and agent in order to allow them to
communicate again?
Cheers!
Trevor
cnk
Jun 28, 2009, 8:02:22 PM6/28/09
to ossec...@googlegroups.com
Hey Trevor,
I just had the same issue and resolved it with these steps:
-stop the agent and delete all files in the rids directory on that agent
-delete the file associated with that agent ID in the rids directory
on the server
cheers,
cnk
tm
Jun 29, 2009, 10:59:43 AM6/29/09
to ossec-list
Thanks, CNK.
Another strategy we have discovered is to shutdown the agent and
backup the /var/ossec/etc and /var/ossec/queue/rids directories in
that order. Then after the OS has been reinstalled on the agent's
host and the agent is reinstalled, restore the etc and rids
directories. Of course this works fine only if the agent's host can
be brought down in a controlled fashion. If, for example, the hard
disk crashed, then the only other alternative is to do what you
suggested.
Cheers!
> > Trevor- Hide quoted text -
>
> - Show quoted text -
Another strategy we have discovered is to shutdown the agent and
backup the /var/ossec/etc and /var/ossec/queue/rids directories in
that order. Then after the OS has been reinstalled on the agent's
host and the agent is reinstalled, restore the etc and rids
directories. Of course this works fine only if the agent's host can
be brought down in a controlled fashion. If, for example, the hard
disk crashed, then the only other alternative is to do what you
suggested.
Cheers!
>
> - Show quoted text -
Reply all
Reply to author
Forward
0 new messages