Hi Victor,
Huge thanks for the detail, this would explain exactly why we're seeing
this; our OSSEC managers are likely overloaded.
It would be very helpful to include the agentid in the logfile to
understand / track where this is occurring and the number of unique agents
that are impacted, perhaps something like:
From: src/error_messages/error_messages.h
#define SEC_ERROR "%s(1217): ERROR: Error creating encrypted message
for: '%s')."
Then inside: src/remoted/sendmsg.c
msg_size = CreateSecMSG(&keys, msg, crypt_msg, agentid);
if (msg_size == 0) {
merror(SEC_ERROR, ARGV0, agentid);
return (-1);
}
The clustered nature of this issue leads me to suspect it's repeating this
error in the logfiles multiple times for a connection attempt across only
one or two agents.
Again, many thanks for the detailed response.
Graeme
On Thursday, July 28, 2016 at 5:33:29 PM UTC-7, Victor Fernandez wrote:
>
> Hi Graeme.
>
> According to the log, I think the problem occurs when the manager tries to
> send the merged.mg to an agent that has not sent the keep-alive in the
> last 20 minutes. This may happen if a lot of agents get connected, or send
> the keep-alive at the same time.
>
> So, if many agents send a keep-alive, the manager takes more than 20
> minutes to send the merged.mg to an agent, and that agent hasn't sent the
> keep-alive again, this problem occurs.
>
> I did some math: the manager sleeps one second every time it sends 27 KB.
> With a 150 KB merged.mg, OSSEC takes 20 minutes to send the complete file
> to about 216 agents.
>
> The 20-minutes check appears on src/remoted/sendmsg.c:
>
> /* If we don't have the agent id, ignore it */
> if (keys.keyentries[agentid]->rcvd < (time(0) - (2 * NOTIFY_TIME))) {
> return (-1);
> }
>
> NOTIFY_TIME is 600 (10 minutes) by default. Nevertheless OSSEC labels an
> agent as disconnected when it hasn't send the keep-alive in the last 30:30
> minutes, as we can see at src/shared/read-agents.c:
>
> if (file_status.st_mtime > (time(0) - (3 * NOTIFY_TIME + 30))) {
> return (GA_STATUS_ACTIVE);
> }
>
> Because of this, I think that this may be an issue.
>
> I think that a good approach would be to check that there aren't alerts
> about disconnected agents that connected recently.
>
> Kind regards.
>
>
> On Thursday, July 28, 2016 at 9:43:32 AM UTC-7, Graeme Stewart wrote:
>>
>> Seeing a lot of errors in the logfiles like this:
>>
>> 2016/07/28 16:41:48 ossec-remoted: ERROR: Unable to send file 'merged.mg'
>> to agent.
>> 2016/07/28 16:41:50 ossec-remoted(1217): ERROR: Error creating encrypted
>> message.
>> 2016/07/28 16:41:50 ossec-remoted: ERROR: Unable to send file 'merged.mg'
>> to agent.
>> 2016/07/28 16:41:50 ossec-remoted(1217): ERROR: Error creating encrypted
>> message.
>> 2016/07/28 16:41:50 ossec-remoted: ERROR: Unable to send file 'merged.mg'
>> to agent.
>> 2016/07/28 16:41:52 ossec-remoted(1217): ERROR: Error creating encrypted
>> message.
>> 2016/07/28 16:41:52 ossec-remoted: ERROR: Unable to send file 'merged.mg'
>> to agent.
>> 2016/07/28 16:41:52 ossec-remoted(1217): ERROR: Error creating encrypted
>> message.
>> 2016/07/28 16:41:52 ossec-remoted: ERROR: Unable to send file 'merged.mg'
>> to agent.
>> 2016/07/28 16:41:54 ossec-remoted(1217): ERROR: Error creating encrypted
>> message.
>> 2016/07/28 16:41:54 ossec-remoted: ERROR: Unable to send file 'merged.mg'
>> to agent.
>> 2016/07/28 16:41:56 ossec-remoted(1217): ERROR: Error creating encrypted
>> message.
>>
>> Any guidance on troubleshooting? Search hasn't turned up much other than
>> delete merged.mg and restart (which we've tried to no success)...
>>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
