I deleted some of the lines starting with bang (!) but that didn't clear up
the problem. My client.keys is now smaller than 2048, but I still can't add
agents. I was able to duplicate this problem on a fresh install in vagrant.
Using the bin/manage_agents command I was able to add over 4k clients (and
clients.keys grew without problem). However, when I try to add a new agent
through authd... I get the same internal error problem.
Results of commands:
$ cat /var/ossec/etc/client.keys | wc -l
2032
$ cat /var/ossec/etc/client.keys | grep -P "^\d+\s*\!" -v | wc -l
209
$ cat /var/ossec/etc/client.keys | grep -P "^\d+\s*\!" | wc -l
1823
On Mon, May 22, 2017 at 6:28 PM, Jesus Linares <je...@wazuh.com> wrote:
> Hi,
>
> as you mentioned, it seems that inactive agents are counting for the limit
> (2048 agents). Run the following commands in order to know the size of the
> *client.keys
> *file:
>
> - Total lines: cat /var/ossec/etc/client.keys | wc -l
> - Active agents: cat /var/ossec/etc/client.keys | grep -P "^\d+\s*\!"
> -v | wc -l
> - Inactive agents: cat /var/ossec/etc/client.keys | grep -P
> "^\d+\s*\!" | wc -l
>
> The solution could be clean the client.keys (lines with "!") after
> removing the agent.
>
> Regards.
>
>
> On Monday, May 22, 2017 at 11:05:38 AM UTC+2, Topper Bowers wrote:
>>
>> Hi,
>>
>> My client has a highly dynamic environment and we're using OSSEC (wazuh
>> 1.1.1 release, OSSEC v2.8). When a server spins up, it registers itself as
>> an agent to the servers authd and everything was going ok. However, my
>> client.keys file is now 2048 lines long and no new agents can register.
>> They get an "(internal error)" that we see in the /var/ossec/logs/ossec.log
>>
>> We have a process in place to remove inactive agents using the
>> `/var/ossec/bin/manage_agents -r ${ossec_id}` command. And if you use
>> /var/ossec/bin/manage_agents -l only about 100 agents show up.
>>
>> I've seen this https://groups.google.com/forum/#!topic/ossec-list/lgFD
>> OlR6zNg and it looks remarkably similar to what we're seeing. However,
>> we don't actually have thousands of active agents. It seems like inactive
>> agents are counting against the limit. Since we have a really dynamic
>> environment with servers going up and down all the time, increasing the
>> limit seems like it's just pushing out the inevitable.
>>
>> In summary... dynamic environment, can't add new agents, only 100 or so
>> active agents, 2048 lines in client.keys. No other error messages besides
>> "internal error"
>>
>> Any suggestions?
>>
>> Thanks!
>>
>> Topper
>>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/ossec-list/k_MFr5aAjRU/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
*Topper Bowers*
*Engineering*
*Vitals* | 160 Chubb Ave, Suite 301, Lyndhurst, NJ 07071, USA
M : 646.515.6630
http://www.vitals.com
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
