Hi Daniel, Thank you for your reply. This makes OSSEC a more effective tool for monitoring the status of our servers and letting us know more quickly if one goes down. I'll try changing the code the next time we have to rebuild OSSEC, and I've also submitted a bug report at http://www.ossec.net/bugs/show_bug.cgi?id=168 to get the option added in a future release.
Best, Chris Tozzi On Thu, 2008-05-29 at 15:58 -0300, Daniel Cid wrote: > Hi Chris, > > Currently, there is no way to specify that in the config, but I will > make sure to add that > for the next version (if you could open a bug at > http://www.ossec.net/bugs/ , it will guarantee > that we will not forget :)). > > *If you are up to change the code, just go to file > src/shared/read-agents.c and on line 632, change > the timeout value to whatever you want (right now it is 3*NOTIFY_TIME > -- where NOTIFY_TIME is > 10 minutes). > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > > > On Wed, May 28, 2008 at 4:16 PM, Christopher Tozzi <[EMAIL PROTECTED]> wrote: > > > > Dear all, > > > > It seems to take between 30 and 40 minutes without a response from an > > agent for the OSSEC server to decide that the agent must have > > disconnected. It's only then that I get mail saying the agent has > > disconnected. > > > > I'd like to know a little sooner that an agent has disconnected, so I > > was wondering if there is any option that I could change to tell the > > server to generate an agent-disconnect alert after for instance 5 > > minutes without a response to the keep-alive packet. I looked in > > ossec.conf and internal_options.conf but didn't see anything that looked > > like it's what I want. I'm grateful for any suggestions. > > > > I'm also grateful to the OSSEC developers for such a great, open-source > > product! > > > > Best, > > Chris Tozzi > > > >
