Jesus is totally right. The time out he is talking about is:* 3*NOTIFY_TIME+30*, *NOTIFY_TIME* by default is 600 seconds.
Check the last modification file date on every agent-info/* file and wait until that time be more than 30'30''. Best regards, Pedro S. On Thursday, April 7, 2016 at 8:08:02 PM UTC+2, Jesus Linares wrote: > > Hi, > > in order to know if an agent is connected, disconnected or never connected > OSSEC reads the modification date of the files in > */var/ossec/queue/agent-info/*:* > > - if there is no file for the agent the status is *never connected* > - if the modification time of the file is less than a defined tiemout, > the status is *actived*. If it is greater then the status is > *disconnected*. > > I guess those files are updated by the Manager each time that the agents > send a "keep-alive". > > I'm not sure, but I think the timeout is around 30 minutes. > > Regards, > Jesus Linares. > > On Tuesday, April 5, 2016 at 5:26:10 PM UTC+2, sandeep wrote: >> >> Hello Dan, >> >> Thanksf for the reply. Yeah its the old data, I ran ./agent_control >> -lc|grep ID:|wc -l to list the count of agents active and it shows as 3k >> even though the manager's ossec process is stopped. I am trying to figure >> out where the cache is stored. I need to remove that data before starting >> the manager's OSSEC process back. >> >> Without removing that data, if i start back the manager's ossec process >> the 3k count remains the same and the remaining agents do not show up as >> active. >> >> Thanks, >> Sandeep. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
