Re: [ossec-list] All UNIX/LINUX agents disconnecting

Thu, 13 May 2010 06:03:11 -0700 

I'm having issues with disconnecting agents as well.
- all are linux based agents
- ossec server & agents are all v2.4. (performed clean install)

On one agent, I set agent.debug=2 in internal_options.conf and observed:

[...] ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan
completed).
[...] ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
[...] ossec-agentd: INFO: Event count after '20000': 3969001->3232384 (81%)
[...] ossec-agentd: WARN: Server unavailable. Setting lock.
[...] ossec-logcollector: WARN: Process locked. Waiting for permission...
[...] ossec-agentd(4102): INFO: Connected to the server
(xxx.xxx.xxx.xxx:1514).
[...] ossec-agentd: INFO: Server responded. Releasing lock.
[...] ossec-logcollector: INFO: Lock free. Continuing...
[...] ossec-agentd: INFO: Event count after '20000': 4207989->3383792 (80%)
[...] ossec-syscheckd: INFO: Ending syscheck scan (forwarding database).
[...] ossec-syscheckd: INFO: Starting real time file monitoring.
[...] ossec-rootcheck: INFO: Starting rootcheck scan.
[...] ossec-rootcheck: INFO: Ending rootcheck scan.
[...] ossec-agentd: WARN: Server unavailable. Setting lock.
[...] ossec-agentd(4102): INFO: Connected to the server
(xxx.xxx.xxx.xxx:1514).
[...] ossec-agentd: INFO: Server responded. Releasing lock.
[...] ossec-agentd: INFO: Event count after '20000': 4069230->3331752 (81%)
[...] ossec-syscheckd: INFO: Starting syscheck scan.
[...] ossec-agentd: WARN: Server unavailable. Setting lock.
[...] ossec-agentd(4102): INFO: Connected to the server
(xxx.xxx.xxx.xxx:1514).
[...] ossec-agentd: INFO: Server responded. Releasing lock.

I set remoted.debug=2 on the server, but nothing interesting appeared.
Agents will reconnect without intervention, sometimes after a few minutes
and other times it takes 20 minutes or much longer.

On 5/11/10 5:38 PM, "dan (ddp)" <ddp...@gmail.com> wrote:

> Anything in the logs (both server and agents)?
> 
> On Tue, May 11, 2010 at 4:16 PM, Griffith, Robert
> <robert.griff...@cbs.com> wrote:
>>   We have been running the new version of Ossec 2.4 in our environment for 3
>> weeks.  Yesterday all of our UNIX/LINUX client agents started
>> disconnecting.  None of our Windows Server client agents have disconnected.
>> Has anyone experienced this and/or found a resolution for this issue.
>> 
>> Thank you,
>> Robert
>> 
>

Reply via email to