Hello, While an agent is disconnected, it will stop monitoring the log files configured to monitor, and therefore, it should only lose the logs that were being sent at the same moment that the communication got interrupted, independently of the buffer. The time that the agent can verify its disconnection and stop monitoring files will be much shorter when using the TCP protocol, and therefore, the logs loose would be decreased.
All the new logs ingested into the log file while the agent is disconnected should be sent to the Manager side once the agent reconnects. You could perform a test by monitoring a specific log file, disconnecting the agent, then introducing new log lines to the monitored file, and monitoring the archives.json once the agent reconnects. You should be able to verify that all the logs ingested during the disconnection were sent once it reconnected. I hope this helps. Regards, Jose Manuel Lopez On Friday, February 28, 2020 at 2:55:40 AM UTC+1 [email protected] wrote: > Hello, > > Between a manager and a linux and a windows agent, some logs are missing > during a network cable disconnecting. > I checked it in "archive.json" file which doesn't contain some logs. > I tested in under a buffer disabled and a buffer normal situation. > What's wrong in my situation or testing? > > Many thanks. > > Nobel Jung > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/9a5a6b02-56fa-4f53-affd-2989c3042b94n%40googlegroups.com.
