forgot to tell... this is on a HA active/passive cluster...
I did started node1 then disabled the IPS... then started node2...
and checked on the master node1 console, the process ips-reporter.pl is still running... whereas after node2 is synced ips-reporter.pl is not running !!!
so maybe you forgot to kill/stop the ips-reporter.pl after disabling IPS ? I think a reboot will make it not started right ? but if this is the case this is a bug to not stop ips-reporter.pl if we disable IPS...
and if enabling IPS again... seems snort is started on both nodes... but ips-reporter.pl is running only on node1 with same process id, from initial... but on node2 ips-reporter.pl is not running most of the time... time to time with regular ps ax I see ips-reporter.pl but not with same process id... is it crashing on node2 (SLAVE) ?
ips-report ist not the ips daemon. this is only the reporting script which update the tables and reports at the asg with information from the ips logfile. If you disable IPS there is still content in /var/log/ips.log. The report script is only running on node1 because node2 will get the data from the synced postgres database
ips-report ist not the ips daemon. this is only the reporting script which update the tables and reports at the asg with information from the ips logfile. If you disable IPS there is still content in /var/log/ips.log. The report script is only running on node1 because node2 will get the data from the synced postgres database
greetings
Andreas
ok I know that snort is the daemon for the IPS, and ips-reporter is to handle all stats and other stuff.. but was not sur if it is exepected to be shutdown also if we disable IPs...
