Hello guys, I'm using Ossec 2.4.1 on Debian server with ~30 agents, and Ossec-Wui 0.3 since June 2010. All was working perfectly at beginning, just one duplicate error in August, nothing more (found the solution on http://www.ossec.net/wiki/Errors:DuplicateError )
But since 2 weeks, I lost agents (by this *legendary* Duplicate Error) very very often. And it's not by 1 or 2 in a time, it's like 20 in same time. So I search on the mailing-list archive, but nothing like my case. Most of my agents are Xen virtual machines, and are backupped all nights by BackupPC (xm pause / xm sysrq / xm unpause), and I think this may be a part of the problem (but why just now ?). So the easiest solution is to make a crontab who delete everyday on server and clients side the counters in queue/rids, but this is so dirty. Then, I'm asking for experts, if you have any idea, it's welcome :) Have a nice day guys !
