Tested this on a Linux box and Windows box. All failed attempts are logging to the central OSSEC server. Seems like there might be an issue with agent_control?
On Dec 6, 10:46 am, "loyd.darby" <[email protected]> wrote: > Pudding test, try to log in to one of the windows boxes and put in the > wrong password. > If that does not show up in the alerts log on the server, it is not working. > > On 12/06/2010 12:31 PM, jplee3 wrote: > > > > > Hi all, > > > I'm running the latest version 2.5.1 and noticed that after a number > > of hours, a handful of my agents, mostly Windows machines (but there > > are a few Linux boxes too) show up as "disconnected" when I run > > agent_control -l > > > What is odd is when I log in to look at these boxes, they appear to > > still be connected as much as I can see in the ossec.log. And the > > syschecks are still running. If I run agent_control -i ID -e, it shows > > the most recent syscheck scans (start and end) and they appear to be > > valid. > > > Again, nothing in the ossec.log on the servers I've checked indicates > > that the machines are disconnected. CHecking the ossec.log on my > > central server, I see some "Incorrectly formated message" errors but > > not for machines that are disconnected. > > > Any ideas on what might be going on here? Has anywhere else seen this > > kind of behavior? > > > TIA! > > -- > R. Loyd Darby, OSSIM-OCSE > Project Manager DOC/NOAA/NMFS > Infrastructure coordinator > Southeast Fisheries Science Center > 305-361-4297
