Hi,
I am trying to get the OSSEC server to generate alerts sooner when the
agent gets disconnected. As far as I can tell, this behavior should be
built in to OSSEC v2.8.1.
I tried in the agent adding the following:
<client>
<server-ip>192.168.xxx.xxx</server-ip>
<notify_time>60</notify_time>
<time-reconnect>90</time-reconnect>
</client>
This made no difference. The server generated the disconnected agent alert
after about 30 minutes. I read somewhere that the formula is (NOTIFY_TIME *
3) + 30 which would be 210 seconds so 3.5 minutes (still way less that 30
minutes).
In the documentation there is no mention where in the server to configure
the agent disconnected timeout. Even if I was doubtful I tried anyway
adding the following in the server ossec,conf.
<client>
<notify_time>60</notify_time>
<time-reconnect>90</time-reconnect>
</client>
As expected this made no difference.
Anyone can explain how notify_time + time-reconnect work? From the
documentation, I can see that you can configure the agent to send a keep
alive every notify_time seconds and to reconnect if disconnected every
time-reconnect seconds. It doesn't mention anywhere where you can configure
the server to mark an agent as disconnected.
Can anyone help?
Thanks,
Robert
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
