Hi Graeme.
According to the log, I think the problem occurs when the manager tries to
send the merged.mg to an agent that has not sent the keep-alive in the last
20 minutes. This may happen if a lot of agents get connected, or send the
keep-alive at the same time.
So, if many agents send a keep-alive, the manager takes more than 20
minutes to send the merged.mg to an agent, and that agent hasn't sent the
keep-alive again, this problem occurs.
I did some math: the manager sleeps one second every time it sends 27 KB.
With a 150 KB merged.mg, OSSEC takes 20 minutes to send the complete file
to about 216 agents.
The 20-minutes check appears on src/remoted/sendmsg.c:
/* If we don't have the agent id, ignore it */
if (keys.keyentries[agentid]->rcvd < (time(0) - (2 * NOTIFY_TIME))) {
return (-1);
}
NOTIFY_TIME is 600 (10 minutes) by default. Nevertheless OSSEC labels an
agent as disconnected when it hasn't send the keep-alive in the last 30:30
minutes, as we can see at src/shared/read-agents.c:
if (file_status.st_mtime > (time(0) - (3 * NOTIFY_TIME + 30))) {
return (GA_STATUS_ACTIVE);
}
Because of this, I think that this may be an issue.
I think that a good approach would be to check that there aren't alerts
about disconnected agents that connected recently.
Kind regards.
On Thursday, July 28, 2016 at 9:43:32 AM UTC-7, Graeme Stewart wrote:
>
> Seeing a lot of errors in the logfiles like this:
>
> 2016/07/28 16:41:48 ossec-remoted: ERROR: Unable to send file 'merged.mg'
> to agent.
> 2016/07/28 16:41:50 ossec-remoted(1217): ERROR: Error creating encrypted
> message.
> 2016/07/28 16:41:50 ossec-remoted: ERROR: Unable to send file 'merged.mg'
> to agent.
> 2016/07/28 16:41:50 ossec-remoted(1217): ERROR: Error creating encrypted
> message.
> 2016/07/28 16:41:50 ossec-remoted: ERROR: Unable to send file 'merged.mg'
> to agent.
> 2016/07/28 16:41:52 ossec-remoted(1217): ERROR: Error creating encrypted
> message.
> 2016/07/28 16:41:52 ossec-remoted: ERROR: Unable to send file 'merged.mg'
> to agent.
> 2016/07/28 16:41:52 ossec-remoted(1217): ERROR: Error creating encrypted
> message.
> 2016/07/28 16:41:52 ossec-remoted: ERROR: Unable to send file 'merged.mg'
> to agent.
> 2016/07/28 16:41:54 ossec-remoted(1217): ERROR: Error creating encrypted
> message.
> 2016/07/28 16:41:54 ossec-remoted: ERROR: Unable to send file 'merged.mg'
> to agent.
> 2016/07/28 16:41:56 ossec-remoted(1217): ERROR: Error creating encrypted
> message.
>
> Any guidance on troubleshooting? Search hasn't turned up much other than
> delete merged.mg and restart (which we've tried to no success)...
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
