On Dec 9, 2016 9:17 AM, "Chris Decker" <[email protected]> wrote:
Victor, On Friday, December 9, 2016 at 6:42:27 AM UTC-5, Victor Fernandez wrote: > > Hi, > > Agents should send a keepalive each 10 minutes (600 seconds) by default, > and this should be enough. But you can go down that time at the agent's > ossec.conf: > > > <ossec_config> > <client> > <server-ip>1.2.3.4</server-ip> > *<notify_time>60</notify_time>* > </client> > > > If you see any agent disconnected, check its ossec.log file. > > On the other hand, as Dan says, the manager will discard two identical > consecutive messages, so you should generate different messages for the > logs (using a random string or the date). > These events were from auditd and were unique enough that OSSEC should treat them as such. Sorry, I thought you wrote that the logs were the same. > If you think that there could be network congestion, you may try to > connect using TCP, adding, at the agent's ossec.conf: > > <ossec_config> > <client> > <server-ip>1.2.3.4</server-ip> > *<protocol>tcp</protocol>* > </client> > > And, on the manager's ossec.conf: > > <ossec_config> > <remote> > <connection>secure</connection> > *<protocol>tcp</protocol>* > </remote> > > I'm going to give this a try. One thing I've noticed is that the ossec-control script isn't starting up remoted. If I start remoted by hand it starts, but then I see 3 remoted processes. I've never come across this issue before. Do you know what could be causing it? Is ossec-remoted listed in the DAEMONS variable in the script? What is your remote condiguration in your ossec.conf? > Please test it and write back to us if this doesn't solve the problem. All > feedback is welcome. > > Hope it helps. > Best regards. > > > On Friday, December 9, 2016 at 6:30:08 AM UTC+1, dan (ddpbsd) wrote: >> >> >> >> On Dec 8, 2016 4:41 PM, "Chris Decker" <[email protected]> wrote: >> >> All, >> >> I have an OSSEC instance (running the latest/greatest Wuzuh code cloned >> from GitHub) that has about 1k active hosts. I've noticed recently that >> hosts are flipping back and forth between *Active* and *Disconnected*. >> >> >> Perhaps the manager is too busy? I can't remember the host limit offhand, >> but I believe ossec limits the number of agents to a number smaller than >> 1000. >> >> >> I've also noticed that not all of the log messages from "*Active" *hosts >> are being received by the Manager. For example, I have an agent that >> generates the same log message every second. I have debug enabled on the >> Agent and I can see logcollector reading each message, but only *some* >> of the messages are received on the Manager (I monitored it for awhile and >> it's not that the messages show up later due to network congestion--I don't >> see the messages ever being received). I tried disabling the agent ID >> checks on both the Manager and Agent but that didn't have any impact. >> >> >> Ossec will discard some repeated messages. I forget the timeframe offhand >> though. >> >> >> >> I suspect there is a misconfiguration or limit I am running into on my >> Manager running RHEL 7, but I haven't been able to track it down. I did a >> simple netcat test between the same two hosts and there was no lag in >> transmissions. >> >> Any suggestions/thoughts from the community? >> >> >> >> >> Thanks, >> Chris >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
