I have tried running in debug (both with internal_option.conf and with ossec-control enable debug but the results don't give me much to work on.
I don't think there is such a process although it definitely looks like there is something like that, Any ideas on how I could try to find such process ? just to make sure (there is nothing like that in the crontab) ? Can you explain quickly what counters are for ? Just to folllow what agents are active or disconnected ? I didn't know it could be turned off, how would you do it ? With what kind off downside ? Thanks a lot for your help :-) On Thursday, October 27, 2016 at 7:33:33 AM UTC-4, dan (ddpbsd) wrote: > > On Wed, Oct 26, 2016 at 2:03 PM, Gaetan Noel <[email protected] > <javascript:>> wrote: > > Hello, > > > > We are having an issue that makes me want to pull my hair out. > > > > Since about two days we get what seems to be a random number of agents > that > > become disconnected. On that particular environment we have a total of > about > > 1200+ keys. Everything was working well, most clients were online and > > reporting correctly to the server. > > > > About two days ago we noticed that a very large number of agents became > > Disconnected leaving about 200 clients Active. The issue is on and off > as > > sometime we see 300 agents active other times 40. > > > > On the client side we see the errors below : > > > > 2016/10/26 11:55:45 ossec-agentd: WARN: Duplicate error: global: 2, > local: > > 9796, saved global: 3789, saved local:7032 > > 2016/10/26 11:55:45 ossec-agentd(1407): ERROR: Duplicated counter for > 'XXX'. > > 2016/10/26 11:55:45 ossec-agentd(1214): WARN: Problem receiving message > from > > x.x.x.x. > > 2016/10/26 11:55:45 ossec-agentd(4101): WARN: Waiting for server reply > (not > > started). Tried: x.x.x.x. > > > > The duplicated error is something we've been seeing there and there > since > > the start (about 3 years ago) and everything was working well. > > > > Now if I check a client that is Active now we see the errors above when > he > > was Disconnected and now we don't see them. However nothing has changed > on > > the server. > > > > It's like if it can only accept a number x of clients. > > OSSEC has been installed with "2048" for maxagents and ulimits has been > > setup accordingly. > > > > Do you have any ideas of where I can look ? > > You can try running the OSSEC processes in debug mode, but I don't > know how much that will really give you. > > Are there any processes that might be restoring old versions of the > counter files on the server? > On a larger deployment I've had endless problems with the counters > getting out of whack, but haven't had a chance to try and track it > down. Much quicker to turn it off (with the obvious downsides of > course). > > > (Please don't tell me to recreate the keys as the problem obviously > comes > > from the server :-)) > > > > Thanks > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
