I'm having issues with disconnecting agents as well. - all are linux based agents - ossec server & agents are all v2.4. (performed clean install)
On one agent, I set agent.debug=2 in internal_options.conf and observed: [...] ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). [...] ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). [...] ossec-agentd: INFO: Event count after '20000': 3969001->3232384 (81%) [...] ossec-agentd: WARN: Server unavailable. Setting lock. [...] ossec-logcollector: WARN: Process locked. Waiting for permission... [...] ossec-agentd(4102): INFO: Connected to the server (xxx.xxx.xxx.xxx:1514). [...] ossec-agentd: INFO: Server responded. Releasing lock. [...] ossec-logcollector: INFO: Lock free. Continuing... [...] ossec-agentd: INFO: Event count after '20000': 4207989->3383792 (80%) [...] ossec-syscheckd: INFO: Ending syscheck scan (forwarding database). [...] ossec-syscheckd: INFO: Starting real time file monitoring. [...] ossec-rootcheck: INFO: Starting rootcheck scan. [...] ossec-rootcheck: INFO: Ending rootcheck scan. [...] ossec-agentd: WARN: Server unavailable. Setting lock. [...] ossec-agentd(4102): INFO: Connected to the server (xxx.xxx.xxx.xxx:1514). [...] ossec-agentd: INFO: Server responded. Releasing lock. [...] ossec-agentd: INFO: Event count after '20000': 4069230->3331752 (81%) [...] ossec-syscheckd: INFO: Starting syscheck scan. [...] ossec-agentd: WARN: Server unavailable. Setting lock. [...] ossec-agentd(4102): INFO: Connected to the server (xxx.xxx.xxx.xxx:1514). [...] ossec-agentd: INFO: Server responded. Releasing lock. I set remoted.debug=2 on the server, but nothing interesting appeared. Agents will reconnect without intervention, sometimes after a few minutes and other times it takes 20 minutes or much longer. On 5/11/10 5:38 PM, "dan (ddp)" <ddp...@gmail.com> wrote: > Anything in the logs (both server and agents)? > > On Tue, May 11, 2010 at 4:16 PM, Griffith, Robert > <robert.griff...@cbs.com> wrote: >> We have been running the new version of Ossec 2.4 in our environment for 3 >> weeks. Yesterday all of our UNIX/LINUX client agents started >> disconnecting. None of our Windows Server client agents have disconnected. >> Has anyone experienced this and/or found a resolution for this issue. >> >> Thank you, >> Robert >> >