On Wed, Mar 25, 2015 at 11:16 PM, Chris Decker <[email protected]> wrote: > All, > > I have a few Windows hosts that will periodically 'Disconnect' from the > OSSEC server. In some cases they randomly will reconnect later on, while in > others we have to go through and clear out the RIDS before the agent will > re-connect successfully. > > What's the best way to troubleshoot this issue? From everything I've read, > I should enable debug on the agent and manager, but I've added "-d" to all > of the processes, and also bumped the levels in internal_options.conf to > 2's, and I still don't get any useful debug in ossec.log. > > I stopped one of my Linux agents and purposely wiped out the rids files. > When I started up in debug mode I didn't get any helpful errors on either > end of the interface (I expected to see log messages related to RIDS from > error_messages.h). > > What am I missing? >
Are there any precipitating events that might cause this? Are the rids on the agents being overwritten with old information for some reason? If you run the manager in debug mode, do you get anything helpful? > > > > Thanks, > Chris > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
