The Agent eventually was marked as disconnected, but happened well over 30 minutes after the Agent was killed. I'm still interested in finding out what the timeout period is and whether it is tunable or not.
-Tim On Tuesday, January 28, 2014 5:43:11 PM UTC-8, Tim Heckman wrote: > > Hello, > > I have a quick question regarding the 'disconnected' status. What > constitutes an agent being disconnected? How long after the last keep alive > does it mark an agent as disconnected and is there a way to change this > value? > > I'm looking to alert on rule 504 (agent disconnected) specifically, and > when manually shutting down the agent on the remote host it never switched > from Active => Disconnected. > > Thanks. > -Tim > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
