Hi Kat!
Yup, seen that happen too.
On Wednesday, August 3, 2016 at 6:56:32 AM UTC-7, Kat wrote:
>
> One thing to also check is permissions and ownership on "merged.mg" -
> many times I see it get mucked up and OSSEC can't read it. I have found
> that if I delete it, then restart OSSEC it will
One thing to also check is permissions and ownership on "merged.mg" - many
times I see it get mucked up and OSSEC can't read it. I have found that if
I delete it, then restart OSSEC it will be re-created and it no longer has
issues sending the file after that. (Not sure WHY it happens though)
Awesome! Many thanks, this is exactly what I was looking for.
On Friday, July 29, 2016 at 12:16:35 PM UTC-7, Victor Fernandez wrote:
>
> Hi Graeme.
>
> I agree, it would be great to print on the log that the agent became
> disconnected. The SEC_ERROR definition is shared between manager and
> ag
Hi Graeme.
I agree, it would be great to print on the log that the agent became
disconnected. The SEC_ERROR definition is shared between manager and
agents, but it's possible to extend some other messages. In fact, the line
at sendmsg.c that tests if the agent is disconnected (more than 20 minu
Hi Victor,
Huge thanks for the detail, this would explain exactly why we're seeing
this; our OSSEC managers are likely overloaded.
It would be very helpful to include the agentid in the logfile to
understand / track where this is occurring and the number of unique agents
that are impacted, per
Hi Graeme.
According to the log, I think the problem occurs when the manager tries to
send the merged.mg to an agent that has not sent the keep-alive in the last
20 minutes. This may happen if a lot of agents get connected, or send the
keep-alive at the same time.
So, if many agents send a ke