I've seen the issues and we're running CentOS 5.2. We're testing on around 50 servers (plans to possibly roll out onto thousands) and ALL of them disconnect and reconnect, some of them never being able to connect at all.
When I have time to devote to work on it, I'm going to attempt more troubleshooting. --Rob On Fri, Apr 22, 2011 at 3:32 AM, Doug Burks <doug.bu...@gmail.com> wrote: > One of my OSSEC servers has about 40 agents and sees about 3 million > events/day. Now that the issue seems to have been resolved, it's CPU > utilization is quite low just like yours and is what I'm expecting. > > I actually had 5 different OSSEC servers running RHEL/CentOS 5.5 and > only 2 of them experienced this particular issue, so I'm not saying it > happens to everybody or that it's normal. But I know there were > others in the thread who seemed to experience the same issue, so I was > asking them to see if they were perhaps running 5.5 and if the upgrade > to 5.6 resolved it for them like it seems to have resolved it for me. > > Thanks, > -- > Doug Burks, GSE, CISSP > President, Greater Augusta ISSA > http://augusta.issa.org > http://securityonion.blogspot.com > > On Thu, Apr 21, 2011 at 11:33 AM, jjennings <jjenni...@zoominternet.net> > wrote: > > how many agents was the host monitoring? I'm monitoring about 20 agents > > running OSSEC on a virtualized machine with Centos5.5 with only 1 cpu > and 1 > > GB ram and it's hardly breaking 1.0 in cpu utilization. > > > > ----- Original Message ----- > > From: Doug Burks > > To: ossec-list@googlegroups.com > > Sent: Thursday, April 21, 2011 10:17 AM > > Subject: Re: RE: [ossec-list] All UNIX/LINUX agents disconnecting and > > failing to reconnect > > I had two servers that were exhibiting this behavior (ossec-analysisd > using > > 99% CPU resulting in agents disconnecting). They were both running > CentOS > > 5.5 and I had verified that rebooting the server didn't help. As soon as > > CentOS 5.6 became available, I upgraded and rebooted, and have not seen > this > > issue since. This could have been a bad interaction with the kernel or > some > > other part of the OS that has been fixed now. > > For anybody else who has experienced this, were you running CentOS/RHEL > 5.5? > > Can you try updating to 5.6 and see if that helps? > > Thanks, > > Doug >
