On Tue, Dec 13, 2016 at 9:11 AM, Chris Decker <[email protected]> wrote: > Victor, > > I'm at the point where my agents all have valid keys, so I'm unsure as to > why I have ~ 750 clients and only ~225 are reported as "active" at any one > time (all of the machines are alive and well, and generating mountains of > log data :)). I wanted to give tcp communication a shot, but it appears > that <protocol> isn't valid within the client tag: > > 2016/12/13 09:05:49 ossec-config(1230): ERROR: Invalid element in the > configuration: 'protocol'. > > 2016/12/13 09:05:49 ossec-config(1202): ERROR: Configuration error at > '/var/ossec/etc/ossec.conf'. Exiting. > > 2016/12/13 09:05:49 ossec-agentd(1215): ERROR: No client configured. > Exiting. > > > The documentation also doesn't make it appear that <protocol> is an option > there: > > http://ossec.github.io/docs/syntax/head_ossec_config.client.html >
I believe that's a wazuh extension. > > Is there something I am missing? > > > > On Friday, December 9, 2016 at 6:42:27 AM UTC-5, Victor Fernandez wrote: >> >> Hi, >> >> Agents should send a keepalive each 10 minutes (600 seconds) by default, >> and this should be enough. But you can go down that time at the agent's >> ossec.conf: >> >> >> <ossec_config> >> <client> >> <server-ip>1.2.3.4</server-ip> >> <notify_time>60</notify_time> >> </client> >> >> >> If you see any agent disconnected, check its ossec.log file. >> >> On the other hand, as Dan says, the manager will discard two identical >> consecutive messages, so you should generate different messages for the logs >> (using a random string or the date). >> >> If you think that there could be network congestion, you may try to >> connect using TCP, adding, at the agent's ossec.conf: >> >> <ossec_config> >> <client> >> <server-ip>1.2.3.4</server-ip> >> <protocol>tcp</protocol> >> </client> >> >> And, on the manager's ossec.conf: >> >> <ossec_config> >> <remote> >> <connection>secure</connection> >> <protocol>tcp</protocol> >> </remote> >> >> >> Please test it and write back to us if this doesn't solve the problem. All >> feedback is welcome. >> >> Hope it helps. >> Best regards. >> >> >> On Friday, December 9, 2016 at 6:30:08 AM UTC+1, dan (ddpbsd) wrote: >>> >>> >>> >>> On Dec 8, 2016 4:41 PM, "Chris Decker" <[email protected]> wrote: >>> >>> All, >>> >>> I have an OSSEC instance (running the latest/greatest Wuzuh code cloned >>> from GitHub) that has about 1k active hosts. I've noticed recently that >>> hosts are flipping back and forth between Active and Disconnected. >>> >>> >>> Perhaps the manager is too busy? I can't remember the host limit offhand, >>> but I believe ossec limits the number of agents to a number smaller than >>> 1000. >>> >>> >>> I've also noticed that not all of the log messages from "Active" hosts >>> are being received by the Manager. For example, I have an agent that >>> generates the same log message every second. I have debug enabled on the >>> Agent and I can see logcollector reading each message, but only some of the >>> messages are received on the Manager (I monitored it for awhile and it's not >>> that the messages show up later due to network congestion--I don't see the >>> messages ever being received). I tried disabling the agent ID checks on >>> both the Manager and Agent but that didn't have any impact. >>> >>> >>> Ossec will discard some repeated messages. I forget the timeframe offhand >>> though. >>> >>> >>> >>> I suspect there is a misconfiguration or limit I am running into on my >>> Manager running RHEL 7, but I haven't been able to track it down. I did a >>> simple netcat test between the same two hosts and there was no lag in >>> transmissions. >>> >>> Any suggestions/thoughts from the community? >>> >>> >>> >>> >>> Thanks, >>> Chris >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
