Hi Joe, Just wanted to confirm if the keep alive time should be within 10 mins of the current time. ?
Regards Tanishk -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Joe Gedeon Sent: Tuesday, December 07, 2010 8:10 PM To: [email protected] Subject: Re: [ossec-list] Re: Agents showing 'disconnected' but not? You will need to do further investigation of what is going on. Check ossec/logs/ossec.log on both the OSSEC Server and the agents. Also on the server tcpdump -ni <interface> src <agent_IP> and port 1514 will show you if the agent is trying to connect to the server. Example: tcpdump -ni eth0 src 192.168.1.10 and port 1514 On Mon, Dec 6, 2010 at 17:57, jplee3 <[email protected]> wrote: > This is correct - all of the agents are outside of the 10 minute > window. > > Does this just mean that OSSEC stopped sending keep-alives, but not > necessarily that the agents are actually 'disconnected' ? > > > > > > On Dec 6, 2:06 pm, Joe Gedeon <[email protected]> wrote: >> When you see that check with agent_control -i and check when the last >> keep alive was. It should be within 10 minutes of the current time. >> >> >> >> On Mon, Dec 6, 2010 at 14:12, jplee3 <[email protected]> wrote: >> > Tested this on a Linux box and Windows box. All failed attempts are >> > logging to the central OSSEC server. Seems like there might be an >> > issue with agent_control? >> >> > On Dec 6, 10:46 am, "loyd.darby" <[email protected]> wrote: >> >> Pudding test, try to log in to one of the windows boxes and put in the >> >> wrong password. >> >> If that does not show up in the alerts log on the server, it is not working. >> >> >> On 12/06/2010 12:31 PM, jplee3 wrote: >> >> >> > Hi all, >> >> >> > I'm running the latest version 2.5.1 and noticed that after a number >> >> > of hours, a handful of my agents, mostly Windows machines (but there >> >> > are a few Linux boxes too) show up as "disconnected" when I run >> >> > agent_control -l >> >> >> > What is odd is when I log in to look at these boxes, they appear to >> >> > still be connected as much as I can see in the ossec.log. And the >> >> > syschecks are still running. If I run agent_control -i ID -e, it shows >> >> > the most recent syscheck scans (start and end) and they appear to be >> >> > valid. >> >> >> > Again, nothing in the ossec.log on the servers I've checked indicates >> >> > that the machines are disconnected. CHecking the ossec.log on my >> >> > central server, I see some "Incorrectly formated message" errors but >> >> > not for machines that are disconnected. >> >> >> > Any ideas on what might be going on here? Has anywhere else seen this >> >> > kind of behavior? >> >> >> > TIA! >> >> >> -- >> >> R. Loyd Darby, OSSIM-OCSE >> >> Project Manager DOC/NOAA/NMFS >> >> Infrastructure coordinator >> >> Southeast Fisheries Science Center >> >> 305-361-4297 >> >> -- >> Registered Linux User # 379282 -- Registered Linux User # 379282
