Hi,
quite so, TCP is supported on Wazuh manager and agents, version 1.1 and
above.
If you are experiencing this issue, you may activate the archives on the
manager, with this line at ossec.conf:
<ossec_config>
<global>
*<logall>yes</logall>*
</global>
</ossec_config>
Restart your agent and look out the file
/var/ossec/logs/archives/archives.log. Then search for an agent that should
be active but appears as disconnected and generate any message on it. The
manager should print that message although it doesn't produce an alert.
If the message arrives, it's OK and we should only find why the agent
appears as disconnected. If you don't find the message on the archives
file, look for an error by "ossec-remoted" at /var/ossec/logs/ossec.log
and, if you see nothing related to it, use the tcpdump tool to watch
whether packages from the agent are arriving.
Hope it helps.
Best regards.
On Tuesday, December 13, 2016 at 3:45:04 PM UTC+1, dan (ddpbsd) wrote:
>
> On Tue, Dec 13, 2016 at 9:11 AM, Chris Decker <[email protected]
> <javascript:>> wrote:
> > Victor,
> >
> > I'm at the point where my agents all have valid keys, so I'm unsure as
> to
> > why I have ~ 750 clients and only ~225 are reported as "active" at any
> one
> > time (all of the machines are alive and well, and generating mountains
> of
> > log data :)). I wanted to give tcp communication a shot, but it
> appears
> > that <protocol> isn't valid within the client tag:
> >
> > 2016/12/13 09:05:49 ossec-config(1230): ERROR: Invalid element in the
> > configuration: 'protocol'.
> >
> > 2016/12/13 09:05:49 ossec-config(1202): ERROR: Configuration error at
> > '/var/ossec/etc/ossec.conf'. Exiting.
> >
> > 2016/12/13 09:05:49 ossec-agentd(1215): ERROR: No client configured.
> > Exiting.
> >
> >
> > The documentation also doesn't make it appear that <protocol> is an
> option
> > there:
> >
> > http://ossec.github.io/docs/syntax/head_ossec_config.client.html
> >
>
> I believe that's a wazuh extension.
>
> >
> > Is there something I am missing?
> >
> >
> >
> > On Friday, December 9, 2016 at 6:42:27 AM UTC-5, Victor Fernandez wrote:
> >>
> >> Hi,
> >>
> >> Agents should send a keepalive each 10 minutes (600 seconds) by
> default,
> >> and this should be enough. But you can go down that time at the agent's
> >> ossec.conf:
> >>
> >>
> >> <ossec_config>
> >> <client>
> >> <server-ip>1.2.3.4</server-ip>
> >> <notify_time>60</notify_time>
> >> </client>
> >>
> >>
> >> If you see any agent disconnected, check its ossec.log file.
> >>
> >> On the other hand, as Dan says, the manager will discard two identical
> >> consecutive messages, so you should generate different messages for the
> logs
> >> (using a random string or the date).
> >>
> >> If you think that there could be network congestion, you may try to
> >> connect using TCP, adding, at the agent's ossec.conf:
> >>
> >> <ossec_config>
> >> <client>
> >> <server-ip>1.2.3.4</server-ip>
> >> <protocol>tcp</protocol>
> >> </client>
> >>
> >> And, on the manager's ossec.conf:
> >>
> >> <ossec_config>
> >> <remote>
> >> <connection>secure</connection>
> >> <protocol>tcp</protocol>
> >> </remote>
> >>
> >>
> >> Please test it and write back to us if this doesn't solve the problem.
> All
> >> feedback is welcome.
> >>
> >> Hope it helps.
> >> Best regards.
> >>
> >>
> >> On Friday, December 9, 2016 at 6:30:08 AM UTC+1, dan (ddpbsd) wrote:
> >>>
> >>>
> >>>
> >>> On Dec 8, 2016 4:41 PM, "Chris Decker" <[email protected]>
> wrote:
> >>>
> >>> All,
> >>>
> >>> I have an OSSEC instance (running the latest/greatest Wuzuh code
> cloned
> >>> from GitHub) that has about 1k active hosts. I've noticed recently
> that
> >>> hosts are flipping back and forth between Active and Disconnected.
> >>>
> >>>
> >>> Perhaps the manager is too busy? I can't remember the host limit
> offhand,
> >>> but I believe ossec limits the number of agents to a number smaller
> than
> >>> 1000.
> >>>
> >>>
> >>> I've also noticed that not all of the log messages from "Active" hosts
> >>> are being received by the Manager. For example, I have an agent that
> >>> generates the same log message every second. I have debug enabled on
> the
> >>> Agent and I can see logcollector reading each message, but only some
> of the
> >>> messages are received on the Manager (I monitored it for awhile and
> it's not
> >>> that the messages show up later due to network congestion--I don't see
> the
> >>> messages ever being received). I tried disabling the agent ID checks
> on
> >>> both the Manager and Agent but that didn't have any impact.
> >>>
> >>>
> >>> Ossec will discard some repeated messages. I forget the timeframe
> offhand
> >>> though.
> >>>
> >>>
> >>>
> >>> I suspect there is a misconfiguration or limit I am running into on my
> >>> Manager running RHEL 7, but I haven't been able to track it down. I
> did a
> >>> simple netcat test between the same two hosts and there was no lag in
> >>> transmissions.
> >>>
> >>> Any suggestions/thoughts from the community?
> >>>
> >>>
> >>>
> >>>
> >>> Thanks,
> >>> Chris
> >>>
> >>> --
> >>>
> >>> ---
> >>> You received this message because you are subscribed to the Google
> Groups
> >>> "ossec-list" group.
> >>> To unsubscribe from this group and stop receiving emails from it, send
> an
> >>> email to [email protected].
> >>> For more options, visit https://groups.google.com/d/optout.
> >>>
> >>>
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
