Hi Peter, These messages are not bad by itself, they just mean the server didn't respond to the "keep alive" messages from the agent and it stopped sending events for that period (in your case very small period -- just 2-3 seconds). I have no idea why this might be happening, but maybe something related with Windows 64...
I will try to get a Windows 64 copy to find out what is going on... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/15/07, Peter M. Abraham <[EMAIL PROTECTED]> wrote: > > Greetings: > > We currently are testing OSSEC 1.3 on 25 servers including 3 Window > 2003 servers. > > Two of the Window 2003 servers are running regular 32-bit Windows 2003 > server; but the third one is running 64-bit plus also using the > storage server edition. > > All three are to the latest Microsoft patch level including the > patches released yesterday, 8-14-2007. > > The 64-bit Window server agent regularly (typically within a few hours > of starting the agent) disconnects from the server. > > In the ossec log on the agent side, every time there is a disconnect I > notice lines as follows: > > > 2007/08/15 10:33:51 ossec-agent: Event count after '20000': 4139566- > >3496696 (84%) > > 2007/08/15 11:45:53 ossec-agent: Server unavailable. Setting lock. > > 2007/08/15 11:45:56 ossec-agent: Server responded. Releasing lock. > > 2007/08/15 12:31:26 ossec-agent: Server unavailable. Setting lock. > > 2007/08/15 12:31:29 ossec-agent: Server responded. Releasing lock. > > 2007/08/15 13:03:59 ossec-agent: Server unavailable. Setting lock. > > 2007/08/15 13:04:02 ossec-agent: Server responded. Releasing lock. > > 2007/08/15 13:35:32 ossec-agent: Server unavailable. Setting lock. > > 2007/08/15 13:35:35 ossec-agent: Server responded. Releasing lock. > > > Is there anything I can do on my end to improve how long the agent > stays connected? > > Thank you. > >
