Daniel, On 2/14/07, Daniel Cid <[EMAIL PROTECTED]> wrote:
Did it happened more than once after that? Did your ossec server alerted that the agent was disconnected? --it shouldn't, because of the small period..
Yes to both questions. It happened twice last night, again only for a short period of time. 2007/02/14 16:35:01 ossec-agent: Server unavailable. Setting lock. 2007/02/14 16:35:07 ossec-agent: Server responded. Releasing lock. 2007/02/15 00:26:37 ossec-agent: Server unavailable. Setting lock. 2007/02/15 00:26:40 ossec-agent: Server responded. Releasing lock. 2007/02/15 01:22:01 ossec-agent: Server unavailable. Setting lock. 2007/02/15 01:22:04 ossec-agent: Server responded. Releasing lock. However, alerts were generated both times: OSSEC HIDS Notification. 2007 Feb 15 00:54:23 Received From: server->ossec-monitord Rule: 504 fired (level 3) -> "Ossec agent disconnected." Portion of the log(s): ossec: Agent disconnected: 'client-128.153.x.x'. --END OF NOTIFICATION OSSEC HIDS Notification. 2007 Feb 15 01:58:23 Received From: server->ossec-monitord Rule: 504 fired (level 3) -> "Ossec agent disconnected." Portion of the log(s): ossec: Agent disconnected: 'client-128.153.x.x'. --END OF NOTIFICATION And the files in /var/ossec/queue/agent-info have gone stale: -rw-r--r-- 1 ossecr ossec 78 Feb 15 01:16 client1-128.153.x.x -rw-r--r-- 1 ossecr ossec 78 Feb 15 01:32 client2-128.153.x.x
