No, whether or not we restart the ossec service via init.d (I'm guessing this is what you meant and not "reboot"), it makes no difference. They all disconnect and periodically are able to check in when not having the errors listed below. I had previously changed the verify_msg_id=1 on the server to "0" and didn't see a difference. A few minutes ago it dawned on me to check on the agent version of internal_options.conf. I then changed it to "0" as well. Bounced both server and client...no differences.
No ideas on this one, tcpdumps aren't very revealing so far. Thx, Rob -----Original Message----- From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On Behalf Of Jason Frisvold Sent: Monday, April 11, 2011 6:37 PM To: ossec-list@googlegroups.com Cc: dan (ddp) Subject: Re: [ossec-list] All UNIX/LINUX agents disconnecting and failing to reconnect -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Apr 11, 2011, at 3:32 PM, Rob Brooks wrote: > I'm having the same exact problem with disconnecting Linux agents as well. > I'm at the point that I'm running tcpdump to see what the issue is because > it's baffling. We have around 30 registered agents and only around 5-10 are > active at any given time (which seem to rotate in an out)...the rest of the > time, logging in the client shows it's can't connect. > > I am wondering if there is a UDP with the F5 that the packets are traversing. > > Here's an example from the agent: > > 2011/04/11 08:47:34 ossec-agentd: INFO: Event count after '20000': > 2226760->2255200 (101%) <---What does this mean? > 2011/04/11 08:55:47 ossec-agentd: WARN: Server unavailable. Setting lock. > 2011/04/11 08:56:08 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: 'xxx.xxx.xxx.54'. > 2011/04/11 08:56:10 ossec-agentd: INFO: Trying to connect to server > (xxx.xxx.xxx.54:1514). > 2011/04/11 08:56:31 ossec-agentd(4101): WARN: Waiting for server reply (not > started). Tried: 'xxx.xxx.xxx.54'. > 2011/04/11 08:56:51 ossec-agentd: INFO: Trying to connect to server > (xxx.xxx.xxx.54:1514). Do you restart the ossec server to fix this, or do they come back on their own? I've noticed a few times that remoted has stopped functioning and apparently crashed. This generally seems to happen when I'm monkeying about with config changes. I haven't had a chance to dig into the cause as of yet. > Kind Regards, > Rob - --------------------------- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --------------------------- "Any sufficiently advanced magic is indistinguishable from technology." - - Niven's Inverse of Clarke's Third Law -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) iEYEARECAAYFAk2jrKYACgkQ8CjzPZyTUTS0+ACfW+ZjYYTMAJMnWxA64cJ/pK0C /v8AoJLeu2SCWLLqg6/41LZTl9CWz8+i =sFWB -----END PGP SIGNATURE-----
