Thank you, I have made the changes and will test this. Respectfully Yours Charles McKee Information Security Architect
-----Original Message----- From: [email protected] <[email protected]> On Behalf Of dan (ddp) Sent: Tuesday, October 2, 2018 7:31 AM To: [email protected] Subject: Re: [ossec-list] Ossec Agent Disconnect but it is not reporting On Wed, Sep 19, 2018 at 11:09 AM <[email protected]> wrote: > > Hello All > > I wanted to know if anyone has experienced that when an agent disconnects > it does not report that is down. > > I have Ossec V3 on both the client and server. > > I did notice this with V2.9 as well. > > This is the only issue. > > The reporting of an agent when does disconnects. > > If there is a fix please can you share. > It looks like the log event that triggers this alert is made by ossec-monitord. Make sure that's running. It checks /var/ossec/queue/agent-info to see whether an agent is connected. Permissions: drwxr-x---. 2 ossecr ossec 262 Jul 20 09:37 agent-info [root@rossak queue]# ls -l agent-info/ total 36 -rw-r--r--. 1 ossecr ossec 139 Oct 2 07:23 buzzell-192.168.18.8 -rw-r--r--. 1 ossecr ossec 105 Oct 2 07:24 collectd-192.168.18.52 -rw-r--r--. 1 ossecr ossec 138 Jun 15 15:35 elastic-192.168.18.61 -rw-r--r--. 1 ossecr ossec 101 May 2 08:01 hagal-192.168.18.54 -rw-r--r--. 1 ossecr ossec 105 Oct 2 07:24 ipyr-192.168.17.250 -rw-r--r--. 1 ossecr ossec 104 Oct 2 07:24 kaitain-192.168.18.110 -rw-r--r--. 1 ossecr ossec 110 Jun 19 13:44 nessus-192.168.18.53 -rw-r--r--. 1 ossecr ossec 70 Oct 2 07:24 pine-192.168.17.34 -rw-r--r--. 1 ossecr ossec 140 Oct 2 07:24 postgres-192.168.18.201 ossec-remoted must be able to write to these files. They're not very exciting by themselves: [root@rossak agent-info]# cat hagal-192.168.18.54 Linux hagal 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37 UTC 2018 x86_64 - OSSEC HIDS v2.9.2 > Thanks > Chuck > > > > ________________________________ > > This email and any files transmitted with it are considered privileged and > confidential unless otherwise explicitly stated otherwise. If you are not > the intended recipient you are notified that disclosing, copying, > distributing or taking any action in reliance on the contents of this > information is strictly prohibited. All email data and contents may be > monitored to ensure that their use is authorized, for management of the > system, to facilitate protection against unauthorized use, and to verify > security procedures, survivability and operational security. Under no > circumstance should the user of this email have an expectation of privacy > for this correspondence. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- This email and any files transmitted with it are considered privileged and confidential unless otherwise explicitly stated otherwise. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. All email data and contents may be monitored to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized use, and to verify security procedures, survivability and operational security. Under no circumstance should the user of this email have an expectation of privacy for this correspondence. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
