This is correct - all of the agents are outside of the 10 minute window. Does this just mean that OSSEC stopped sending keep-alives, but not necessarily that the agents are actually 'disconnected' ?
On Dec 6, 2:06 pm, Joe Gedeon <[email protected]> wrote: > When you see that check with agent_control -i and check when the last > keep alive was. It should be within 10 minutes of the current time. > > > > On Mon, Dec 6, 2010 at 14:12, jplee3 <[email protected]> wrote: > > Tested this on a Linux box and Windows box. All failed attempts are > > logging to the central OSSEC server. Seems like there might be an > > issue with agent_control? > > > On Dec 6, 10:46 am, "loyd.darby" <[email protected]> wrote: > >> Pudding test, try to log in to one of the windows boxes and put in the > >> wrong password. > >> If that does not show up in the alerts log on the server, it is not > >> working. > > >> On 12/06/2010 12:31 PM, jplee3 wrote: > > >> > Hi all, > > >> > I'm running the latest version 2.5.1 and noticed that after a number > >> > of hours, a handful of my agents, mostly Windows machines (but there > >> > are a few Linux boxes too) show up as "disconnected" when I run > >> > agent_control -l > > >> > What is odd is when I log in to look at these boxes, they appear to > >> > still be connected as much as I can see in the ossec.log. And the > >> > syschecks are still running. If I run agent_control -i ID -e, it shows > >> > the most recent syscheck scans (start and end) and they appear to be > >> > valid. > > >> > Again, nothing in the ossec.log on the servers I've checked indicates > >> > that the machines are disconnected. CHecking the ossec.log on my > >> > central server, I see some "Incorrectly formated message" errors but > >> > not for machines that are disconnected. > > >> > Any ideas on what might be going on here? Has anywhere else seen this > >> > kind of behavior? > > >> > TIA! > > >> -- > >> R. Loyd Darby, OSSIM-OCSE > >> Project Manager DOC/NOAA/NMFS > >> Infrastructure coordinator > >> Southeast Fisheries Science Center > >> 305-361-4297 > > -- > Registered Linux User # 379282
