When you see that check with agent_control -i and check when the last keep alive was. It should be within 10 minutes of the current time.
On Mon, Dec 6, 2010 at 14:12, jplee3 <[email protected]> wrote: > Tested this on a Linux box and Windows box. All failed attempts are > logging to the central OSSEC server. Seems like there might be an > issue with agent_control? > > > On Dec 6, 10:46 am, "loyd.darby" <[email protected]> wrote: >> Pudding test, try to log in to one of the windows boxes and put in the >> wrong password. >> If that does not show up in the alerts log on the server, it is not working. >> >> On 12/06/2010 12:31 PM, jplee3 wrote: >> >> >> >> > Hi all, >> >> > I'm running the latest version 2.5.1 and noticed that after a number >> > of hours, a handful of my agents, mostly Windows machines (but there >> > are a few Linux boxes too) show up as "disconnected" when I run >> > agent_control -l >> >> > What is odd is when I log in to look at these boxes, they appear to >> > still be connected as much as I can see in the ossec.log. And the >> > syschecks are still running. If I run agent_control -i ID -e, it shows >> > the most recent syscheck scans (start and end) and they appear to be >> > valid. >> >> > Again, nothing in the ossec.log on the servers I've checked indicates >> > that the machines are disconnected. CHecking the ossec.log on my >> > central server, I see some "Incorrectly formated message" errors but >> > not for machines that are disconnected. >> >> > Any ideas on what might be going on here? Has anywhere else seen this >> > kind of behavior? >> >> > TIA! >> >> -- >> R. Loyd Darby, OSSIM-OCSE >> Project Manager DOC/NOAA/NMFS >> Infrastructure coordinator >> Southeast Fisheries Science Center >> 305-361-4297 -- Registered Linux User # 379282
