On Thu, Apr 2, 2015 at 3:49 AM, Robert Micallef <[email protected]> wrote: > Hi, > > I am trying to get the OSSEC server to generate alerts sooner when the agent > gets disconnected. As far as I can tell, this behavior should be built in to > OSSEC v2.8.1. > > I tried in the agent adding the following: > > <client> > <server-ip>192.168.xxx.xxx</server-ip> > <notify_time>60</notify_time> > <time-reconnect>90</time-reconnect> > </client> > > This made no difference. The server generated the disconnected agent alert > after about 30 minutes. I read somewhere that the formula is (NOTIFY_TIME * > 3) + 30 which would be 210 seconds so 3.5 minutes (still way less that 30 > minutes). > > In the documentation there is no mention where in the server to configure > the agent disconnected timeout. Even if I was doubtful I tried anyway adding > the following in the server ossec,conf. > > <client> > <notify_time>60</notify_time> > <time-reconnect>90</time-reconnect> > </client> > > As expected this made no difference. > > Anyone can explain how notify_time + time-reconnect work? From the > documentation, I can see that you can configure the agent to send a keep > alive every notify_time seconds and to reconnect if disconnected every > time-reconnect seconds. It doesn't mention anywhere where you can configure > the server to mark an agent as disconnected. > > Can anyone help? >
I don't see any options for the server side off hand. Without actually looking at it I don't think it would be too hard of a change, if you're interested. Submit any pull requests to https://github.com/ossec/ossec-hids > Thanks, > Robert > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
