Tanishk, The agents should be checking in every ten minutes.
On Wed, Dec 8, 2010 at 16:27, tanishk lakhaani <[email protected]> wrote: > Hi Joe, > Just wanted to confirm if the keep alive time should be within 10 mins of > the current time. ? > > > Regards > Tanishk > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On > Behalf Of Joe Gedeon > Sent: Tuesday, December 07, 2010 8:10 PM > To: [email protected] > Subject: Re: [ossec-list] Re: Agents showing 'disconnected' but not? > > You will need to do further investigation of what is going on. > > Check ossec/logs/ossec.log on both the OSSEC Server and the agents. > Also on the server tcpdump -ni <interface> src <agent_IP> and port > 1514 will show you if the agent is trying to connect to the server. > > > Example: > tcpdump -ni eth0 src 192.168.1.10 and port 1514 > > > > On Mon, Dec 6, 2010 at 17:57, jplee3 <[email protected]> wrote: >> This is correct - all of the agents are outside of the 10 minute >> window. >> >> Does this just mean that OSSEC stopped sending keep-alives, but not >> necessarily that the agents are actually 'disconnected' ? >> >> >> >> >> >> On Dec 6, 2:06 pm, Joe Gedeon <[email protected]> wrote: >>> When you see that check with agent_control -i and check when the last >>> keep alive was. It should be within 10 minutes of the current time. >>> >>> >>> >>> On Mon, Dec 6, 2010 at 14:12, jplee3 <[email protected]> wrote: >>> > Tested this on a Linux box and Windows box. All failed attempts are >>> > logging to the central OSSEC server. Seems like there might be an >>> > issue with agent_control? >>> >>> > On Dec 6, 10:46 am, "loyd.darby" <[email protected]> wrote: >>> >> Pudding test, try to log in to one of the windows boxes and put in the >>> >> wrong password. >>> >> If that does not show up in the alerts log on the server, it is not > working. >>> >>> >> On 12/06/2010 12:31 PM, jplee3 wrote: >>> >>> >> > Hi all, >>> >>> >> > I'm running the latest version 2.5.1 and noticed that after a number >>> >> > of hours, a handful of my agents, mostly Windows machines (but there >>> >> > are a few Linux boxes too) show up as "disconnected" when I run >>> >> > agent_control -l >>> >>> >> > What is odd is when I log in to look at these boxes, they appear to >>> >> > still be connected as much as I can see in the ossec.log. And the >>> >> > syschecks are still running. If I run agent_control -i ID -e, it > shows >>> >> > the most recent syscheck scans (start and end) and they appear to be >>> >> > valid. >>> >>> >> > Again, nothing in the ossec.log on the servers I've checked > indicates >>> >> > that the machines are disconnected. CHecking the ossec.log on my >>> >> > central server, I see some "Incorrectly formated message" errors but >>> >> > not for machines that are disconnected. >>> >>> >> > Any ideas on what might be going on here? Has anywhere else seen > this >>> >> > kind of behavior? >>> >>> >> > TIA! >>> >>> >> -- >>> >> R. Loyd Darby, OSSIM-OCSE >>> >> Project Manager DOC/NOAA/NMFS >>> >> Infrastructure coordinator >>> >> Southeast Fisheries Science Center >>> >> 305-361-4297 >>> >>> -- >>> Registered Linux User # 379282 > > > > -- > Registered Linux User # 379282 > > -- Registered Linux User # 379282
