ossec批量部署中遇到了很多问题,说下其中的两个。
1、key_gen.py该脚本一次最多生成1000个keys,超过1000台agent,需多生成几次,只要ip对应正确的key即可。agent的名字最大支持32个字符,超过32个字符就会报错。
该脚本可以添加、移除、提取、导入agent
/root/ossec-hids-2.8.3/contrib/ossec-batch-manager.pl
Usage: /root/ossec-hids-2.8.3/contrib/ossec-batch-manager.pl [OPERATION] [OPTIONS]
[operations]
-a or --add = Add a new agent
-r or --remove [id] = Remove agent
-e or --extract [id|name|ip] = Extract key
-m or --import [keydata] = Import key
-l or --list = List available agents
[options]
-k or --key [keydata] = Key data
-n or --name [name] = Agent name (32 character max)
-i or --id [id] = Agent identification (integer)
-p or --ip [ip] = IP address
2、每一台ossec-server默认支持256个agent,最大支持2048个agent。要想支持2048个agent,需要在安装之前设置一下。
[root@ossec-server ~]# cd ossec-hids-2.8.3/src/
[root@ossec-server src]# make setmaxagents
Specify maximum number of agents: 2048
Maximum number of agents set to 2048.
[root@ossec-server src]# cd ..
[root@ossec-server ossec-hids-2.8.3]# ./install.sh
...
...
linux系统默认最大打开文件数为1024,需要修改内核参数为2048
[root@ossec-server ossec-hids-2.8.3]# ulimit -n 2048
[root@ossec-server ossec-hids-2.8.3]# sysctl -w kern.maxfiles=2048
[root@ossec-server ossec-hids-2.8.3]# sysctl -w net.core.rmem_default=5123840
[root@ossec-server ossec-hids-2.8.3]# sysctl -w net.core.rmem_max = 5123840
设置开机自启动,在该文件最后添加
[root@ossec-server ossec-hids-2.8.3]# vi /etc/profile
ulimit -n 2048
[root@ossec-server ossec-hids-2.8.3]# vi /etc/security/limits.conf
ossec soft nofile 2048
ossec hard nofile 2048
ossecr soft nofile 2048
ossecr hard nofile 2048
设置完成之后,执行命令生效
[root@ossec-server ossec-hids-2.8.3]# source /etc/profile
[root@ossec-server ossec-hids-2.8.3]# sysctl -p
查看是否成功设置open files为2048
[root@ossec-server ossec-hids-2.8.3]# ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 62838
max locked memory (kbytes, -l) 64
max memory size (kbytes, -m) unlimited
open files (-n) 2048
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 10240
cpu time (seconds, -t) unlimited
max user processes (-u) 62838
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
启动ossec服务,在ossec日志里面也可以查看是否设置成功
[root@ossec-server ossec-hids-2.8.3]# grep '2048' /var/ossec/logs/ossec.log
2016/03/29 14:11:37 ossec-remoted(4111): INFO: Maximum number of agents allowed: '2048'.
2016/03/29 14:12:09 ossec-remoted(4111): INFO: Maximum number of agents allowed: '2048'.