Check the timestamps of the files under /var/ossec/queue/agent-info/. Each active agent should have its corresponding file touched with a new timestamp periodically. I believe it's every 10 minutes.
If an agent file's timpstamp has not been updated for a long time, it is declared 'inactive'. I think the waiting window is 60 minutes, and this is handled by 'monitord'. It is not always easy to debug issues like this. Please report further observations as you see abnormal behaviors. On Thursday, October 4, 2012 1:43:56 AM UTC-7, PAL wrote: > > Today some network troubles happing with only *one* host - statuses > switched correctly in both directions. > In opposite problem was detected when four host had a problem > > среда, 3 октября 2012 г., 16:31:25 UTC+3 пользователь PAL написал: >> >> After a some issue in network ossec client lost connection to server. A >> message "Agent disconnected" was generated, client host mark as "inactive". >> It's good. But after network restore status did not return to "active", >> even ossec server got messages from client and generate alerts (I wait over >> two hours). After ossec server restart all statuses ok in few minutes. >> >> >>
