-------------------------------------------- On Fri, 12/9/16, Chris Decker <ch...@chris-decker.com> wrote:
Subject: Re: [ossec-list] remoted Dropping Events To: "ossec-list" <ossec-list@googlegroups.com> Date: Friday, December 9, 2016, 6:24 PM Dan, Thanks for your help. Is ossec-remoted listed in the DAEMONS variable in the script? It was not, but I added it after noticing it wasn't in there. If I tell ossec-control to stop, remoted stops as expected:[root@logger01 limits.d]# /var/ossec/bin/ossec-control stopKilling ossec-monitord .. Killing ossec-logcollector .. Killing ossec-syscheckd .. Killing ossec-analysisd .. Killing ossec-maild .. Killing ossec-remoted .. Killing ossec-execd .. Wazuh v1.2 Stopped However, if I tell ossec-control to start, it starts everything but I don't see remoted referenced:[root@logger01 limits.d]# /var/ossec/bin/ossec-control startStarting Wazuh v1.2 (maintained by Wazuh Inc.)...Started wazuh-moduled...Started ossec-maild...Started ossec-execd...Started ossec-analysisd...Started ossec-logcollector...2016/12/09 11:22:51 rootcheck: Rootcheck disabled. Exiting.2016/12/09 11:22:51 ossec-syscheckd: WARN: Rootcheck module disabled.Started ossec-syscheckd...Started ossec-monitord...Completed. The only thing I removed from that list of modules was the ossec-wuzuh module because I do not currently use it. What is your remote condiguration in your ossec.conf? <remote> <connection>secure</connection> </remote> <remote> <connection>syslog</connection> <protocol>tcp</protocol> <port>514</port> <allowed-ips>10.0.0.0/8</allowed-ips> </remote> <remote> <connection>syslog</connection> <protocol>udp</protocol> <port>514</port> <allowed-ips>10.0.0.0/8</allowed-ips> </remote> Dave's comment jogged my memory about why remoted is running 3 separate processes - 1514/udp, 514/udp and 514/tcp. On Friday, December 9, 2016 at 10:33:50 AM UTC-5, dan (ddpbsd) wrote: On Dec 9, 2016 9:17 AM, "Chris Decker" <ch...@chris-decker.com> wrote: Victor, On Friday, December 9, 2016 at 6:42:27 AM UTC-5, Victor Fernandez wrote:Hi, Agents should send a keepalive each 10 minutes (600 seconds) by default, and this should be enough. But you can go down that time at the agent's ossec.conf: <ossec_config> <client> <server-ip>1.2.3.4</server-ip> <notify_time>60</notify_time> </client> If you see any agent disconnected, check its ossec.log file. On the other hand, as Dan says, the manager will discard two identical consecutive messages, so you should generate different messages for the logs (using a random string or the date).These events were from auditd and were unique enough that OSSEC should treat them as such. Sorry, I thought you wrote that the logs were the same. If you think that there could be network congestion, you may try to connect using TCP, adding, at the agent's ossec.conf: <ossec_config> <client> <server-ip>1.2.3.4</server-ip> <protocol>tcp</protocol> </client> And, on the manager's ossec.conf: <ossec_config> <remote> <connection>secure</ connection> <protocol>tcp</protocol> </remote>I'm going to give this a try. One thing I've noticed is that the ossec-control script isn't starting up remoted. If I start remoted by hand it starts, but then I see 3 remoted processes. I've never come across this issue before. Do you know what could be causing it? Is ossec-remoted listed in the DAEMONS variable in the script?What is your remote condiguration in your ossec.conf? Please test it and write back to us if this doesn't solve the problem. All feedback is welcome. Hope it helps.Best regards. On Friday, December 9, 2016 at 6:30:08 AM UTC+1, dan (ddpbsd) wrote: On Dec 8, 2016 4:41 PM, "Chris Decker" <ch...@chris-decker.com> wrote: All, I have an OSSEC instance (running the latest/greatest Wuzuh code cloned from GitHub) that has about 1k active hosts. I've noticed recently that hosts are flipping back and forth between Active and Disconnected. Perhaps the manager is too busy? I can't remember the host limit offhand, but I believe ossec limits the number of agents to a number smaller than 1000. I've also noticed that not all of the log messages from "Active" hosts are being received by the Manager. For example, I have an agent that generates the same log message every second. I have debug enabled on the Agent and I can see logcollector reading each message, but only some of the messages are received on the Manager (I monitored it for awhile and it's not that the messages show up later due to network congestion--I don't see the messages ever being received). I tried disabling the agent ID checks on both the Manager and Agent but that didn't have any impact. Ossec will discard some repeated messages. I forget the timeframe offhand though. I suspect there is a misconfiguration or limit I am running into on my Manager running RHEL 7, but I haven't been able to track it down. I did a simple netcat test between the same two hosts and there was no lag in transmissions. Any suggestions/thoughts from the community? Thanks,Chris -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups. com. For more options, visit https://groups.google.com/d/ optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@ googlegroups.com. For more options, visit https://groups.google.com/d/ optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. upta nationala a romanilor s-a intensificat odata cu politica de ma-liarizare care a inregistrat noi momente periculoase prin legea Banffy d\n !96 privind maghiarizarea denumirii localitatilor si legile Appony ce au msfintit folosirea limbii maghiare pana si in scolile confesionale ale itionalitatior. intre 1908 si 1910 au fost inchise 420 de scoli. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
