Hi Ben.
The first error is normal, or at less, predictable to happen: since an
agent-less isn't an agent, it can't receive active-responses. Active
responses are generated by the rule analyzer (analisisd), that doesn't
distinguish between agents and agent-less, so the remote daemon, that
sends the active-response commands, shows that error because it can't find
the agent. But it isn't a critical error.
Regarding to the second problem, there is a hardcoded limit of 10 attempts
at agentless/agentless.c:
/* Main monitor loop */
/* (...) */
while(lessdc.entries[i])
{
if(lessdc.entries[i]->error_flag >= 10)
{
if(lessdc.entries[i]->error_flag != 99)
{
merror("%s: ERROR: Too many failures for '%s'. Ignoring
it.",
ARGV0, lessdc.entries[i]->type);
lessdc.entries[i]->error_flag = 99;
}
i++;
sleep(i);
continue;
}
The last 3 lines make that, after 10 attempts, the program continues and no
longer tries to execute the command. Maybe, deleting them (i++; sleep(i);
continue;) the program retries to execute the command.
We're testing it at our development environment and we'll include the
changes in our repository at Wazuh.
Best regards.
Victor.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
