Thanks for getting back to me. I've dug in to the source and it looks like the agent timeout period is 3 * NOTIFY_TIME + 30 within get_agent_status() in read-agents.c.
NOTIFY_TIME is defined in 'defs.h' and is 600 seconds. So it's 1830 seconds or 30 minutes and 30 seconds. Cheers! -Tim On Wednesday, January 29, 2014 11:48:14 AM UTC-8, dan (ddpbsd) wrote: > > > On Jan 29, 2014 2:43 PM, "Tim Heckman" <[email protected] <javascript:>> > wrote: > > > > The Agent eventually was marked as disconnected, but happened well over > 30 minutes after the Agent was killed. I'm still interested in finding out > what the timeout period is and whether it is tunable or not. > > > > Sounds about right. You'll have to check the source to verify though. > > > -Tim > > > > > > On Tuesday, January 28, 2014 5:43:11 PM UTC-8, Tim Heckman wrote: > >> > >> Hello, > >> > >> I have a quick question regarding the 'disconnected' status. What > constitutes an agent being disconnected? How long after the last keep alive > does it mark an agent as disconnected and is there a way to change this > value? > >> > >> I'm looking to alert on rule 504 (agent disconnected) specifically, and > when manually shutting down the agent on the remote host it never switched > from Active => Disconnected. > >> > >> Thanks. > >> -Tim > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
