Op woensdag 20 november 2013 02:14:39 UTC+1 schreef 89be...@gmail.com: > > Hi, > > I checked and the only thing I can find is that every second this messages > appear: > > 2013/11/19 21:12:05 ossec-authd: INFO: New connection from x.y.c.10 > 2013/11/19 21:12:06 ossec-authd: ERROR: SSL read error (-1) > 2013/11/19 21:12:07 ossec-authd: ERROR: SSL Accept error (0) > 2013/11/19 21:12:07 ossec-authd: INFO: New connection from x.y.c.11 > 2013/11/19 21:12:08 ossec-authd: ERROR: SSL read error (-1) > 2013/11/19 21:12:08 ossec-authd: ERROR: SSL Accept error (0) > 2013/11/19 21:12:08 ossec-authd: ERROR: SSL Accept error (0) > 2013/11/19 21:12:08 ossec-authd: INFO: New connection from x.y.c.11 > 2013/11/19 21:12:08 ossec-authd: INFO: New connection from x.y.c.10 > 2013/11/19 21:12:09 ossec-remoted(1213): WARN: Message from x.y.c.11 not > allowed. > > Could this be related? >
This is strange as the agents connect 1 time to get a valid key (client.keys file) and don't have to authenticate anymore. Since /var/ossec (and thus /var/ossec/etc/client.keys) is stored on all machines, this should allow all the agents connect to every ossec server. I am also looking into the HA OSSEC setup and am not sure if OSSEC is HA load balancing ready. I am looking into heartbeat with a master/slave scenario and see if that works for HA. (clients always connect to 1 server and not several different servers). Michiel > > On Thursday, November 14, 2013 1:38:45 PM UTC-3, Michael Starks wrote: >> >> On 2013-11-14 9:55, 89be...@gmail.com wrote: >> > Hi, I have 5 servers sharing the same NFS folder for /var/ossec, and >> > it seems to be working. I've inherited this architecture. >> > >> > Right now, we have about 3000 clients that connect to an F5 vip, and >> > then each client reports to this VIP. In the vip are 5 servers sharing >> > the same /var/ossec nfs folder. >> > >> > My question is, does this architecture work? I mean, Im having issues >> > with some clients not connecting and I'm not sure that the correlation >> > would work properly, it depends if all the ossec correlation reads >> > always from disk and does not save information to memory. >> >> The only thing I can think of that might be a problem is the rids. Check >> ossec.log to see if anything is being denied. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.