I'm not trying to ask a dumb question for an obvious description, but what does "Ossec agent disconnected" mean?
The obvious answer is that the agent disconnected temporarily. I get these alerts from agents off and on, and when the ossec server is very busy (remoted, monitord, and analysisd). I reviewed ossec.log files on the agents that disconnect and have found no issue listed. In fact, agent_control on ossec server shows connected and 'keep alive' date/ time are within a minute or so. So why get alerts on these? Also, why not get alerts on ossec agent reconnected? Would an agent disconnecting also lead to potential events not being received by the ossec server? I've noticed that select windows events are not making it to the ossec server, but my EPS (events per second) is only ~311 for Jan 2012. Thoughts? Thank you!
