Both should not be happening. More inline. This is a hard problem to just
jump right into via email. Might want hop on to IRC and get the collective
to talk with (irc.freenode.net room #ossec).
Also, on our Ossec Master Server, we are observing that the
"ossec-analysisd" uses ~100% of a single CPU (4 CPU's are available).
Could this be causing any issues?
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
2779 ossec 25 0 8236 2932 704 R 93.2 0.1 119:14.70
ossec-analysisd
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Griffith, Robert Sent: Wednesday, July 28, 2010 5:14 AM
To: '[email protected]'
Subject: [ossec-list] All UNIX/LINUX agents disconnecting and failing to
reconnect Importance: High
We continue to observe the Ossec Client disconnects to our Ossec Master
Server over the network. We started receiving these disconnects again on
Wednesday July 7th 2010. The clients disconnected daily and failed to
reconnect for hours (some clients took days or never reconnected again).
This issue was also observed in May on 5/10/2010. That issue lasted for
two weeks and then suddenly stopped without any Ossec configuration
changes.
We implemented the fix you provided below after we encountered the
issue again on Wednesday July 7th 2010. We cleaned the "rids" directory
and disabled the counters on both the Ossec Master Server and all
UNIX/Linux Clients (set verify_msg_id to 0 on the internal_options.conf).
The "fix" you provided cleared the issue for 5 days and then the Client
disconnect issue re-emerged. We re-applied the "fix" again without
success.
We are again experiencing disconnects and failed re-connects on all
UNIX/LINUX Ossec agents.
FYI: We are using Ossec Version 2.4. Counters are disabled.
