Are the same agents always going offline? Are you using unique agent IDs for each agent? You said you see traffic going to the ossec server, but do you see traffic going from the server to the "non-functioning" agent?
On Tue, Jul 12, 2011 at 7:32 PM, Locutus233ca <[email protected]> wrote: > Hi, > > I'm running a number of ubuntu 10.04 LTS instances on EC2 . I > installed OSSEC 2.51 on about 7 machines and this seamed to go okay > for about a week. I then increased the number of monitored instances > by installing the agent on more instances. After a few hours all the > monitiored instances started going into offline mode and failing to > show up online. > > I couldn't find any errors in the server or client side logs. I tried > restarting clients, this didn't seam to help anything. I then tried > changing keys on some agents and this didn't work either. I tried > clearing out the rids in the queue on the server side and client side > and restarted the clients and server. Clearing out the rid files > seamed to temporary get the agents communicating again. After about 1 > hour i was back again to seeing offline clients. > > I tried updating my server to Beta V110607 . This had a similar effect > but after about 1 hour i was back to having only 5-6 working agents. > > I have opened udp port 1514 into the security group where my ossec > server is. The other odd problem i noticed, that I'm seeing some > clients online and offline that in the same EC2 security group. I did > some sniffing of traffic using tcpdump and i can see the traffic > coming from the ossec agents to the server. > > At the moment I'm not sure what to look for anyone have any ideas? > > Thanks, > > >
