Hi, I'm having a strange issue. I have agents that normally report to the manager just fine, but after an undetermined amount of time, this appears in the logs
2019/12/16 01:20:55 rootcheck: INFO: Starting rootcheck scan. 2019/12/16 01:40:58 rootcheck: INFO: Ending rootcheck scan. 2019/12/16 13:18:52 ossec-agentd: WARN: Server unavailable. Setting lock. 2019/12/16 13:19:13 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'SERVER-IP'. 2019/12/16 13:19:15 ossec-agentd: INFO: Trying to connect to server SERVER- IP, port 1514. 2019/12/16 13:19:15 INFO: Connected to SERVER-IP at address SERVER-IP, port 1514 2019/12/16 13:19:36 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'SERVER-IP'. 2019/12/16 13:19:56 ossec-agentd: INFO: Trying to connect to server SERVER- IP, port 1514. 2019/12/16 13:19:56 INFO: Connected to SERVER-IP at address SERVER-IP, port 1514 2019/12/16 13:20:17 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'SERVER-IP'. 2019/12/16 13:20:51 ossec-logcollector: WARN: Process locked. Waiting for permission... 2019/12/16 13:20:55 ossec-agentd: INFO: Trying to connect to server SERVER- IP, port 1514. 2019/12/16 13:20:55 INFO: Connected to SERVER-IP at address SERVER-IP, port 1514 2019/12/16 13:21:16 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'SERVER-IP'. 2019/12/16 13:22:12 ossec-agentd: INFO: Trying to connect to server SERVER- IP, port 1514. 2019/12/16 13:22:12 INFO: Connected to SERVER-IP at address SERVER-IP, port 1514 2019/12/16 13:22:33 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 'SERVER-IP'. 2019/12/16 13:23:47 ossec-agentd: INFO: Trying to connect to server SERVER- IP, port 1514. 2019/12/16 13:23:47 INFO: Connected to SERVER-IP at address SERVER-IP, port 1514 There's nothing in the manager logs to indicate any sort of issue, and other agents that are connected to the same manager keep on reporting fine. I have some agents that disconnect after a few hours, and others that have been connected for weeks without issue, though the large majority do end up disconnecting at some point. If I manually remove the agent from the manager, and then get a new key with `agent-auth` & `agent-authd` it continues working as normal. I've already tried configuring the `notify_time` to 60. I also have turned on debugging for a few agents, but due to the seeming randomness of the disconnects, I'd like to avoid waiting weeks to finally get a useful log / disconnect. The server is v3.3.0 and agents are generally either v3.2.0 or v3.3.0 Also I'm aware I can try switching from UDP to TCP, however that would require reconfiguring 100s of servers across a half dozen environments, so I'd like to avoid doing that unless I'm certain it will be the fix. -- This email and its attachments are confidential and may be privileged. Any unauthorized use or disclosure is prohibited. If you receive this email in error, please notify the sender and permanently delete the original without forwarding, making any copies or disclosing its contents. NextCapital is a brand name representing NextCapital Group, Inc. and its subsidiaries, NextCapital Software, Inc. and NextCapital Advisers, Inc. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/6d4bbd12-8031-4be2-be52-0aeeecc4772f%40googlegroups.com.
