Thanks for getting back to me. I've dug in to the source and it looks like 
the agent timeout period is 3 * NOTIFY_TIME + 30 within get_agent_status() 
in read-agents.c.

NOTIFY_TIME is defined in 'defs.h' and is 600 seconds. So it's 1830 seconds 
or 30 minutes and 30 seconds.

Cheers!
-Tim

On Wednesday, January 29, 2014 11:48:14 AM UTC-8, dan (ddpbsd) wrote:
>
>
> On Jan 29, 2014 2:43 PM, "Tim Heckman" <[email protected] <javascript:>> 
> wrote:
> >
> > The Agent eventually was marked as disconnected, but happened well over 
> 30 minutes after the Agent was killed. I'm still interested in finding out 
> what the timeout period is and whether it is tunable or not.
> >
>
> Sounds about right. You'll have to check the source to verify though.
>
> > -Tim
> >
> >
> > On Tuesday, January 28, 2014 5:43:11 PM UTC-8, Tim Heckman wrote:
> >>
> >> Hello,
> >>
> >> I have a quick question regarding the 'disconnected' status. What 
> constitutes an agent being disconnected? How long after the last keep alive 
> does it mark an agent as disconnected and is there a way to change this 
> value?
> >>
> >> I'm looking to alert on rule 504 (agent disconnected) specifically, and 
> when manually shutting down the agent on the remote host it never switched 
> from Active => Disconnected.
> >>
> >> Thanks.
> >> -Tim
> >
> > -- 
> >  
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/groups/opt_out.
>  

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to