Dear all, It seems to take between 30 and 40 minutes without a response from an agent for the OSSEC server to decide that the agent must have disconnected. It's only then that I get mail saying the agent has disconnected.
I'd like to know a little sooner that an agent has disconnected, so I was wondering if there is any option that I could change to tell the server to generate an agent-disconnect alert after for instance 5 minutes without a response to the keep-alive packet. I looked in ossec.conf and internal_options.conf but didn't see anything that looked like it's what I want. I'm grateful for any suggestions. I'm also grateful to the OSSEC developers for such a great, open-source product! Best, Chris Tozzi
