I believe I've discovered the elusive issue causing 1000s of agent disconnects in _my_ environment for months. It was caused by the volume of file integrity events (³ossec syscheck²) -> which caused ossec-analysisd to peg the CPU at 100% -> which then appears to have caused agent disconnects. In a 24-hour period my environment could generate 75000+ file integrity events. Instead of configuring ossec.conf with additional "file/directories" to ignore, I had written rules (inside local_rules.xml) to simply reduce the "level" to 0 (i.e. I wanted to have a forensic trail, but not be alerted). As soon as I added the directories containing the majority of file changes to the ignore lines in ossec.conf -> restarted -> ossec-analysisd CPU consumption plummeted and I have yet to see a single agent disconnect message. Hope this helps others! -Tate
On 9/17/10 10:36 AM, "Tate Hansen" <[email protected]> wrote: > Have you observed any ossec process sustaining 100% cpu usage? > > On 9/16/10 11:28 PM, "bcube" <[email protected]> wrote: > >> They would all reconnect by themselves and stay connected for a few >> hours then disconnect again. It's been like this for the past week. >> >> I've set the debug to level 2 on windows, syscheck, remoted etc.. on >> the internal_options.conf but still cant see anything wrong. >> >> On Sep 17, 11:51 am, bcube <[email protected]> wrote: >>> Hi Dan, >>> >>> -Version of server is 2.4 >>> -Version for agents are mixed from 2.0 to 2.4 >>> -Everything is working fine until Sep 9, 2010 >>> >>> I've checked on the logs but cant seem to find any possible indication >>> as to what happened >>> >>> On Sep 17, 10:16 am, "[email protected]" <[email protected]> wrote: >>> >>>> What version of ossec? Did they ever work? Is there anything in the server >>>> and agent ossec.log file that might provide a clue? >>> >>>> dan >>> >>>> -----Original Message----- >>>> From: bcube >>>> Sent: 09/16/2010 9:38:10 PM >>>> Subject: [ossec-list] ossec agents disconnecting >>> >>>> We are experiencing the same issues as the thread below for 1 week >>>> now. We have over 100+ agents mixed windows and linux. Will test the >>>> recommendations below. >>> >>>> so far I set remoted.verify_msg_id=0 but still no effect. >>>> Will try clearing the rids. >>> >>>> http://groups.google.com/group/ossec-list/browse_thread/thread/949c1b... >>
