Also, on our Ossec Master Server, we are observing that the "ossec-analysisd" uses ~100% of a single CPU (4 CPU's are available). Could this be causing any issues?
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 2779 ossec 25 0 8236 2932 704 R 93.2 0.1 119:14.70 ossec-analysisd Thank you, Robert -----Original Message----- From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of Griffith, Robert Sent: Wednesday, July 28, 2010 5:14 AM To: 'ossec-list@googlegroups.com' Subject: [ossec-list] All UNIX/LINUX agents disconnecting and failing to reconnect Importance: High We continue to observe the Ossec Client disconnects to our Ossec Master Server over the network. We started receiving these disconnects again on Wednesday July 7th 2010. The clients disconnected daily and failed to reconnect for hours (some clients took days or never reconnected again). This issue was also observed in May on 5/10/2010. That issue lasted for two weeks and then suddenly stopped without any Ossec configuration changes. We implemented the fix you provided below after we encountered the issue again on Wednesday July 7th 2010. We cleaned the "rids" directory and disabled the counters on both the Ossec Master Server and all UNIX/Linux Clients (set verify_msg_id to 0 on the internal_options.conf). The "fix" you provided cleared the issue for 5 days and then the Client disconnect issue re-emerged. We re-applied the "fix" again without success. We are again experiencing disconnects and failed re-connects on all UNIX/LINUX Ossec agents. FYI: We are using Ossec Version 2.4. Counters are disabled. Thank you, Robert -----Original Message----- From: ossec-list@googlegroups.com [mailto:ossec-l...@googlegroups.com] On Behalf Of Daniel Cid Sent: Friday, May 14, 2010 9:43 AM To: ossec-list@googlegroups.com Subject: Re: [ossec-list] RE: All UNIX/LINUX agents disconnecting Hi Lucio, There is two issues in this thread. One, the agent disconnects and then reconnects by itself. That's fine and can happen on high load environment or when a message gets dropped. The second issue that Mike mentioned happens when the counters get out of sync and the agent never reconnects. For this problem, you have to either clean the "rids" directory on the manager or disable the counters. To disable it, set verify_msg_id to 0 on the internal_options.conf file: # Verify msg id (set to 0 to disable it) remoted.verify_msg_id=0 Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Thu, May 13, 2010 at 1:21 PM, Lucio Emanuel Soldo <luxie...@gmail.com> wrote: > Hi Mike, how are you? Could you post the final solution your team has > produced in order to fix its problem? > > Thanx alot! > > On Tue, May 11, 2010 at 6:56 PM, Pendergrast, Michael L > <michael.l.pendergr...@boeing.com> wrote: >> >> Yes we have >> >> although we have v1.6 >> >> I don't have the details as my team has worked the problem and is >> currently deployed. >> >> What we did find is that there is a counter in the agent and in the >> manager and if they get out of sequence the agent will stop >> (basicaqlly they get out of sequence). We also found that at startup >> of the UNIX agents that if multiple agents all start at the same >> time, the agents will stop. In this case, for initial startup we had >> to sequence the startup in about 10 min increments. >> >> Mike >> ________________________________ >> From: ossec-list@googlegroups.com >> [mailto:ossec-l...@googlegroups.com] On Behalf Of Griffith, Robert >> Sent: Tuesday, May 11, 2010 12:26 PM >> To: 'ossec-l...@ossec.net' >> Subject: [ossec-list] All UNIX/LINUX agents disconnecting >> Importance: High >> >> We have been running the new version of Ossec 2.4 in our >> environment for >> 3 weeks. Yesterday all of our UNIX/LINUX client agents started >> disconnecting. None of our Windows Server client agents have disconnected. >> Has anyone experienced this and/or found a resolution for this issue. >> >> Thank you, >> Robert >> >