[ossec-list] Re: can we re-use agentID's
Hmm -- I re-use IDs all the time. Did it when I had 30,000+ agents, and now with only 10,000. You just have to delete the key (I don't like that they are commented out) and make sure you remove the rids agent files in /var/ossec/queue/ossec/rids - find the number of the agent you removed and remove that file. Then you are free to re-use agent IDs all the time. Cheers Kat On Thursday, July 28, 2016 at 2:03:34 PM UTC-5, Chanti Naani wrote: > > Hi, > We have a pretty decent implementation of the ossec with max clients set > to 3000. > So far we have generated close to 2900 client keys with in the past 1 > year. > But at the same time , a lot of people moved out and almost 500 endpoints > are not in use. > > If we delete those 500 endpoints (using /var/ossec/bin/manage_agents -r > $id) , will we be able to add 500 new clients to the ossec server? > without re-compiling the ossec authd server with increased set MAX_AGENTS) > > we are running: > > OSSEC HIDS v2.8 > > Thanks. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: can we re-use agentID's
Thank you Victor for the response. On Thursday, July 28, 2016 at 5:52:54 PM UTC-7, Victor Fernandez wrote: > > Hi Chanti. > > By default, OSSEC doesn't allow to add an agent with a removed agent's ID. > When OSSEC adds a new agent, the information about it is written at > /var/ossec/etc/client.keys. When you remove an agent, the corresponding > line isn't removed but "tainted" with a "!" symbol. > > If you want to reuse the ID but you can't recompile OSSEC, I recommend you > to follow these steps: > >1. Identify the agents that you want to remove. >2. Remove them with manage_agents (it comments the line and removes >some more files) >3. Delete the lines at client.keys referred to the removed agents. >4. Ensure that these folders have not files about the removed agents: > > >- /var/ossec/queue/rids (files are named with the agent's ID) > - /var/ossec/queue/agent-info (files are named with "name-ip" > - /var/ossec/queue/syscheck, files are named with "(name) > ip->syscheck" > - /var/ossec/queue/rootcheck, the same as syscheck > > I hope it helps. > Kind regards. > > On Thursday, July 28, 2016 at 12:03:34 PM UTC-7, Chanti Naani wrote: >> >> Hi, >> We have a pretty decent implementation of the ossec with max clients set >> to 3000. >> So far we have generated close to 2900 client keys with in the past 1 >> year. >> But at the same time , a lot of people moved out and almost 500 endpoints >> are not in use. >> >> If we delete those 500 endpoints (using /var/ossec/bin/manage_agents -r >> $id) , will we be able to add 500 new clients to the ossec server? >> without re-compiling the ossec authd server with increased set MAX_AGENTS) >> >> we are running: >> >> OSSEC HIDS v2.8 >> >> Thanks. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Re: can we re-use agentID's
Hi Chanti. By default, OSSEC doesn't allow to add an agent with a removed agent's ID. When OSSEC adds a new agent, the information about it is written at /var/ossec/etc/client.keys. When you remove an agent, the corresponding line isn't removed but "tainted" with a "!" symbol. If you want to reuse the ID but you can't recompile OSSEC, I recommend you to follow these steps: 1. Identify the agents that you want to remove. 2. Remove them with manage_agents (it comments the line and removes some more files) 3. Delete the lines at client.keys referred to the removed agents. 4. Ensure that these folders have not files about the removed agents: - /var/ossec/queue/rids (files are named with the agent's ID) - /var/ossec/queue/agent-info (files are named with "name-ip" - /var/ossec/queue/syscheck, files are named with "(name) ip->syscheck" - /var/ossec/queue/rootcheck, the same as syscheck I hope it helps. Kind regards. On Thursday, July 28, 2016 at 12:03:34 PM UTC-7, Chanti Naani wrote: > > Hi, > We have a pretty decent implementation of the ossec with max clients set > to 3000. > So far we have generated close to 2900 client keys with in the past 1 > year. > But at the same time , a lot of people moved out and almost 500 endpoints > are not in use. > > If we delete those 500 endpoints (using /var/ossec/bin/manage_agents -r > $id) , will we be able to add 500 new clients to the ossec server? > without re-compiling the ossec authd server with increased set MAX_AGENTS) > > we are running: > > OSSEC HIDS v2.8 > > Thanks. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
