On Thu, Jan 5, 2012 at 10:40 PM, BP9906 <[email protected]> wrote: > I'm not trying to ask a dumb question for an obvious description, but > what does "Ossec agent disconnected" mean? >
I think (but haven't verified) that it means the manager didn't receive a 3 consecutive keep alives. > The obvious answer is that the agent disconnected temporarily. I get > these alerts from agents off and on, and when the ossec server is very > busy (remoted, monitord, and analysisd). I reviewed ossec.log files on > the agents that disconnect and have found no issue listed. In fact, > agent_control on ossec server shows connected and 'keep alive' date/ > time are within a minute or so. > > So why get alerts on these? Also, why not get alerts on ossec agent > reconnected? > No idea, I thought there was an event for that. > Would an agent disconnecting also lead to potential events not being > received by the ossec server? I've noticed that select windows events > are not making it to the ossec server, but my EPS (events per second) > is only ~311 for Jan 2012. > Is it always the same events? The communication is UDP, so it's entirely possible there are missing events. > Thoughts? > > Thank you!
