On Thu, Oct 27, 2016 at 8:20 AM, Gaetan Noel <[email protected]> wrote: > I have tried running in debug (both with internal_option.conf and with > ossec-control enable debug but the results don't give me much to work on. > > I don't think there is such a process although it definitely looks like > there is something like that, Any ideas on how I could try to find such > process ? just to make sure (there is nothing like that in the crontab) ? >
All I can think of is start a script or cronjob to copy the sender_counter every so often. Then compare the contents. If the numbers are decreasing, there's an issue. Looking at timestamps would then help you narrow down what times the issues are occurring, and might limit the possible places the problem could be. I'm not sure how likely you are to get useful information though, it's just hard to tell. > Can you explain quickly what counters are for ? Just to folllow what agents > are active or disconnected ? I didn't know it could be turned off, how would > you do it ? With what kind off downside ? > The counters are supposed to help prevent replay attacks. If the counters don't increase, there is a problem. You can turn it off in internal_options.conf (restart the OSSEC processes after modifying the file) > Thanks a lot for your help :-) > > On Thursday, October 27, 2016 at 7:33:33 AM UTC-4, dan (ddpbsd) wrote: >> >> On Wed, Oct 26, 2016 at 2:03 PM, Gaetan Noel <[email protected]> wrote: >> > Hello, >> > >> > We are having an issue that makes me want to pull my hair out. >> > >> > Since about two days we get what seems to be a random number of agents >> > that >> > become disconnected. On that particular environment we have a total of >> > about >> > 1200+ keys. Everything was working well, most clients were online and >> > reporting correctly to the server. >> > >> > About two days ago we noticed that a very large number of agents became >> > Disconnected leaving about 200 clients Active. The issue is on and off >> > as >> > sometime we see 300 agents active other times 40. >> > >> > On the client side we see the errors below : >> > >> > 2016/10/26 11:55:45 ossec-agentd: WARN: Duplicate error: global: 2, >> > local: >> > 9796, saved global: 3789, saved local:7032 >> > 2016/10/26 11:55:45 ossec-agentd(1407): ERROR: Duplicated counter for >> > 'XXX'. >> > 2016/10/26 11:55:45 ossec-agentd(1214): WARN: Problem receiving message >> > from >> > x.x.x.x. >> > 2016/10/26 11:55:45 ossec-agentd(4101): WARN: Waiting for server reply >> > (not >> > started). Tried: x.x.x.x. >> > >> > The duplicated error is something we've been seeing there and there >> > since >> > the start (about 3 years ago) and everything was working well. >> > >> > Now if I check a client that is Active now we see the errors above when >> > he >> > was Disconnected and now we don't see them. However nothing has changed >> > on >> > the server. >> > >> > It's like if it can only accept a number x of clients. >> > OSSEC has been installed with "2048" for maxagents and ulimits has been >> > setup accordingly. >> > >> > Do you have any ideas of where I can look ? >> >> You can try running the OSSEC processes in debug mode, but I don't >> know how much that will really give you. >> >> Are there any processes that might be restoring old versions of the >> counter files on the server? >> On a larger deployment I've had endless problems with the counters >> getting out of whack, but haven't had a chance to try and track it >> down. Much quicker to turn it off (with the obvious downsides of >> course). >> >> > (Please don't tell me to recreate the keys as the problem obviously >> > comes >> > from the server :-)) >> > >> > Thanks >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
