Re: [ossec-list] remoted Dropping Events

2016-12-14 Thread Victor Fernandez
Hi, quite so, TCP is supported on Wazuh manager and agents, version 1.1 and above. If you are experiencing this issue, you may activate the archives on the manager, with this line at ossec.conf: *yes* Restart your agent and look out the file

Re: [ossec-list] remoted Dropping Events

2016-12-13 Thread dan (ddp)
On Tue, Dec 13, 2016 at 9:11 AM, Chris Decker wrote: > Victor, > > I'm at the point where my agents all have valid keys, so I'm unsure as to > why I have ~ 750 clients and only ~225 are reported as "active" at any one > time (all of the machines are alive and well, and

Re: [ossec-list] remoted Dropping Events

2016-12-12 Thread Chris Decker
Victor, Thanks. What I was doing was *rm*ing everything in /var/ossec except for queue and logs. Then I was installing the newly-compiled code. When the installer asked if I wanted to update, I answered "yes", which apparently defaults the installation to a local installation (I'm not sure

Re: [ossec-list] remoted Dropping Events

2016-12-12 Thread Victor Fernandez
Hi Chris, since you compiled the project with "TARGET=server", maybe you chose "local" when installed it. A local installation is a profile like a server but without Remoted, that's why that daemon doesn't start with "ossec-control start". The line at ossec-init.conf has only informational

Re: [ossec-list] remoted Dropping Events

2016-12-12 Thread Chris Decker
Victor, ossec-init.conf is showing the the installation is a *local* installation. However, I know that I performed a server installation per my notes and bash history… make clean make TARGET=server Obviously I could change this value back to 'server', but will this fix the issue?

Re: [ossec-list] remoted Dropping Events

2016-12-10 Thread Victor Fernandez
Hi Chris, as you guessed, there is one *remoted* process for each configuration. Although it's strange that "ossec-control stop" does stop the *remoted *processes but "ossec-control start" doesn't run them. How did you install Wazuh? Please make sure that the file "

Re: [ossec-list] remoted Dropping Events

2016-12-09 Thread lemuelcrandall via ossec-list
On Fri, 12/9/16, marquitarickman via ossec-list <ossec-list@googlegroups.com> wrote: Subject: Re: [ossec-list] remoted Dropping Events To: ossec-list@googlegroups.com Date: Friday, December 9, 2016, 9

Re: [ossec-list] remoted Dropping Events

2016-12-09 Thread marquitarickman via ossec-list
On Fri, 12/9/16, stephanmabe via ossec-list <ossec-list@googlegroups.com> wrote: Subject: Re: [ossec-list] remoted Dropping Events To: ossec-list@googlegroups.com Date: Friday, December 9, 2016, 9

Re: [ossec-list] remoted Dropping Events

2016-12-09 Thread cammiekuykendall via ossec-list
On Fri, 12/9/16, stephanmabe via ossec-list <ossec-list@googlegroups.com> wrote: Subject: Re: [ossec-list] remoted Dropping Events To: ossec-list@googlegroups.com Date: Friday, December 9, 2016, 9

Re: [ossec-list] remoted Dropping Events

2016-12-09 Thread stephanmabe via ossec-list
On Fri, 12/9/16, Chris Decker <ch...@chris-decker.com> wrote: Subject: Re: [ossec-list] remoted Dropping Events To: "ossec-list" <ossec-list@googlegroups.com> Date: Friday, December 9, 2016, 6:24 PM Dan, Thanks for

Re: [ossec-list] remoted Dropping Events

2016-12-09 Thread Chris Decker
Dan, Thanks for your help. Is ossec-remoted listed in the DAEMONS variable in the script? > It was *not*, but I added it after noticing it wasn't in there. If I tell ossec-control to stop, remoted stops as expected: [root@logger01 limits.d]# /var/ossec/bin/ossec-control stop Killing

Re: [ossec-list] remoted Dropping Events

2016-12-09 Thread dan (ddp)
On Dec 9, 2016 9:17 AM, "Chris Decker" wrote: Victor, On Friday, December 9, 2016 at 6:42:27 AM UTC-5, Victor Fernandez wrote: > > Hi, > > Agents should send a keepalive each 10 minutes (600 seconds) by default, > and this should be enough. But you can go down that time

Re: [ossec-list] remoted Dropping Events

2016-12-09 Thread Chris Decker
Victor, On Friday, December 9, 2016 at 6:42:27 AM UTC-5, Victor Fernandez wrote: > > Hi, > > Agents should send a keepalive each 10 minutes (600 seconds) by default, > and this should be enough. But you can go down that time at the agent's > ossec.conf: > > > > > 1.2.3.4 > *60*

Re: [ossec-list] remoted Dropping Events

2016-12-09 Thread Victor Fernandez
Hi, Agents should send a keepalive each 10 minutes (600 seconds) by default, and this should be enough. But you can go down that time at the agent's ossec.conf: 1.2.3.4 *60* If you see any agent disconnected, check its ossec.log file. On the other hand, as Dan says,

Re: [ossec-list] remoted Dropping Events

2016-12-08 Thread dan (ddp)
On Dec 8, 2016 4:41 PM, "Chris Decker" wrote: All, I have an OSSEC instance (running the latest/greatest Wuzuh code cloned from GitHub) that has about 1k active hosts. I've noticed recently that hosts are flipping back and forth between *Active* and *Disconnected*.

[ossec-list] remoted Dropping Events

2016-12-08 Thread Chris Decker
All, I have an OSSEC instance (running the latest/greatest Wuzuh code cloned from GitHub) that has about 1k active hosts. I've noticed recently that hosts are flipping back and forth between *Active* and *Disconnected*. I've also noticed that not all of the log messages from "*Active" *hosts