Hello group, For the multi-server architecture we have 4 ossec servers in failover.
In default, it will only see the missing server after 30 minutes, while alerts are lost during that time. >From the source-code I have changed the default 10 minutes of NOTIFY_TIME to 2 minutes, and recompiled, leading to a maximum loss of 6 minutes (3*NOTIFY_TIME in notify.c) I have tested this setting and apparently it works. But I can't estimate the impact of this change, and management wants me to validate this change. Is there someone in the group who has done the same thing? Is there a reason why NOTIFY_TIME is set to default 10 minutes? I suspect some dependency with the windowsagents, but there are no windows systems in my parc. Thankyou very much for your help, Ka Kit Wong
