On Wed, Sep 19, 2018 at 11:09 AM <[email protected]> wrote: > > Hello All > > I wanted to know if anyone has experienced that when an agent disconnects it > does not report that is down. > > I have Ossec V3 on both the client and server. > > I did notice this with V2.9 as well. > > This is the only issue. > > The reporting of an agent when does disconnects. > > If there is a fix please can you share. >
It looks like the log event that triggers this alert is made by ossec-monitord. Make sure that's running. It checks /var/ossec/queue/agent-info to see whether an agent is connected. Permissions: drwxr-x---. 2 ossecr ossec 262 Jul 20 09:37 agent-info [root@rossak queue]# ls -l agent-info/ total 36 -rw-r--r--. 1 ossecr ossec 139 Oct 2 07:23 buzzell-192.168.18.8 -rw-r--r--. 1 ossecr ossec 105 Oct 2 07:24 collectd-192.168.18.52 -rw-r--r--. 1 ossecr ossec 138 Jun 15 15:35 elastic-192.168.18.61 -rw-r--r--. 1 ossecr ossec 101 May 2 08:01 hagal-192.168.18.54 -rw-r--r--. 1 ossecr ossec 105 Oct 2 07:24 ipyr-192.168.17.250 -rw-r--r--. 1 ossecr ossec 104 Oct 2 07:24 kaitain-192.168.18.110 -rw-r--r--. 1 ossecr ossec 110 Jun 19 13:44 nessus-192.168.18.53 -rw-r--r--. 1 ossecr ossec 70 Oct 2 07:24 pine-192.168.17.34 -rw-r--r--. 1 ossecr ossec 140 Oct 2 07:24 postgres-192.168.18.201 ossec-remoted must be able to write to these files. They're not very exciting by themselves: [root@rossak agent-info]# cat hagal-192.168.18.54 Linux hagal 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 - OSSEC HIDS v2.9.2 > Thanks > Chuck > > > > ________________________________ > > This email and any files transmitted with it are considered privileged and > confidential unless otherwise explicitly stated otherwise. If you are not the > intended recipient you are notified that disclosing, copying, distributing or > taking any action in reliance on the contents of this information is strictly > prohibited. All email data and contents may be monitored to ensure that their > use is authorized, for management of the system, to facilitate protection > against unauthorized use, and to verify security procedures, survivability > and operational security. Under no circumstance should the user of this email > have an expectation of privacy for this correspondence. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
