On Wed, Oct 26, 2016 at 2:03 PM, Gaetan Noel <[email protected]> wrote: > Hello, > > We are having an issue that makes me want to pull my hair out. > > Since about two days we get what seems to be a random number of agents that > become disconnected. On that particular environment we have a total of about > 1200+ keys. Everything was working well, most clients were online and > reporting correctly to the server. > > About two days ago we noticed that a very large number of agents became > Disconnected leaving about 200 clients Active. The issue is on and off as > sometime we see 300 agents active other times 40. > > On the client side we see the errors below : > > 2016/10/26 11:55:45 ossec-agentd: WARN: Duplicate error: global: 2, local: > 9796, saved global: 3789, saved local:7032 > 2016/10/26 11:55:45 ossec-agentd(1407): ERROR: Duplicated counter for 'XXX'. > 2016/10/26 11:55:45 ossec-agentd(1214): WARN: Problem receiving message from > x.x.x.x. > 2016/10/26 11:55:45 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: x.x.x.x. > > The duplicated error is something we've been seeing there and there since > the start (about 3 years ago) and everything was working well. > > Now if I check a client that is Active now we see the errors above when he > was Disconnected and now we don't see them. However nothing has changed on > the server. > > It's like if it can only accept a number x of clients. > OSSEC has been installed with "2048" for maxagents and ulimits has been > setup accordingly. > > Do you have any ideas of where I can look ?
You can try running the OSSEC processes in debug mode, but I don't know how much that will really give you. Are there any processes that might be restoring old versions of the counter files on the server? On a larger deployment I've had endless problems with the counters getting out of whack, but haven't had a chance to try and track it down. Much quicker to turn it off (with the obvious downsides of course). > (Please don't tell me to recreate the keys as the problem obviously comes > from the server :-)) > > Thanks > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
