{"id":158,"date":"2008-08-18T22:01:00","date_gmt":"2008-08-18T22:01:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=158"},"modified":"2020-07-02T22:01:50","modified_gmt":"2020-07-02T22:01:50","slug":"multi-server-architecture","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2008\/08\/multi-server-architecture\/","title":{"rendered":"Multi-server architecture"},"content":{"rendered":"\n<p>This is another&nbsp;<a href=\"http:\/\/www.ossec.net\/bugs\/show_bug.cgi?id=24\">feature<\/a>&nbsp;that has been asked constantly for a long time and just now we got around to implement it.<\/p>\n\n\n\n<p>The idea is to allow one&nbsp;<a href=\"http:\/\/www.ossec.net\/\">OSSEC<\/a>&nbsp;server (manager) to parse the alerts from another one, creating a hierarchy of multiple servers being able to forward all their data to a central one.<\/p>\n\n\n\n<p>Something like this:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>agent11 -&gt; ossec-server-1 -&gt; ossec-central &lt;- ossec-server2 &lt;- agent21<\/p><\/blockquote>\n\n\n\n<p>This bug explain the idea as well:&nbsp;<a href=\"http:\/\/www.ossec.net\/bugs\/show_bug.cgi?id=24\">http:\/\/www.ossec.net\/bugs\/show_bug.cgi?id=24<\/a><\/p>\n\n\n\n<p>For version 1.6, you will be able to do that by forwarding the OSSEC alerts from one server to another&nbsp;<a href=\"http:\/\/www.ossec.net\/dcid\/?p=139\">via syslog<\/a>. In the future, I plan to expand that to use the same communication channel (encrypted, compressed, etc) that we use for the agent communication. However, for now you will need to use syslog (or install an agent in the server itself \u2013both should work).<\/p>\n\n\n\n<p>To have the syslog working, you need to add the following on the \u201cclient manager\u201d:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>&lt;syslog_output&gt;<br>&lt;server&gt;142.167.90.213&lt;\/server&gt;<br>&lt;port&gt;1515&lt;\/port&gt;<br>&lt;\/syslog_output&gt;<\/p><\/blockquote>\n\n\n\n<p>And enable client-syslog:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>#&nbsp;<strong>\/var\/ossec\/bin\/ossec-control enable client-syslog<\/strong><\/p><\/blockquote>\n\n\n\n<p>On the central server, you need to enable remote syslog (note that I am using port 1515 instead of 514):<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>&lt;remote&gt;<br>&lt;connection&gt;syslog&lt;\/connection&gt;<br>&lt;port&gt;1515&lt;\/port&gt;<br>&lt;allowed-ips&gt;192.168.2.0\/24&lt;\/allowed-ips&gt;<br>&lt;allowed-ips&gt;192.168.1.0\/24&lt;\/allowed-ips&gt;<br>&lt;\/remote&gt;<\/p><\/blockquote>\n\n\n\n<p>When this is done, you should start getting the alerts from all your servers (and agents) into the central one:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>** Alert 1219087291.31744: mail \u2013 ossec,<br>2008 Aug 18 16:21:31 QA-XXX-1-&gt;1Z.YY.253.226|QA-XXXX-1-&gt;ossec-monitord<br>Rule: 502 (level 3) -&gt; \u2018Ossec server started.\u2019<br>ossec: Ossec started.<\/p><\/blockquote>\n\n\n\n<p>Note that the location will be pipe (\u201c|\u201d) separated. If you have any questions or suggestions, please let us know.<\/p>\n\n\n\n<p>Thanks!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This is another&nbsp;feature&nbsp;that has been asked constantly for a long time and just now we got around to implement it. The idea is to allow one&nbsp;OSSEC&nbsp;server (manager) to parse the alerts from another one, creating a hierarchy of multiple servers being able to forward all their data to a central one. Something like this: agent11 [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[8],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/158"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=158"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/158\/revisions"}],"predecessor-version":[{"id":159,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/158\/revisions\/159"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=158"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=158"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=158"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}