Hi, in order to know if an agent is connected, disconnected or never connected OSSEC reads the modification date of the files in */var/ossec/queue/agent-info/*:*
- if there is no file for the agent the status is *never connected* - if the modification time of the file is less than a defined tiemout, the status is *actived*. If it is greater then the status is *disconnected*. I guess those files are updated by the Manager each time that the agents send a "keep-alive". I'm not sure, but I think the timeout is around 30 minutes. Regards, Jesus Linares. On Tuesday, April 5, 2016 at 5:26:10 PM UTC+2, sandeep wrote: > > Hello Dan, > > Thanksf for the reply. Yeah its the old data, I ran ./agent_control > -lc|grep ID:|wc -l to list the count of agents active and it shows as 3k > even though the manager's ossec process is stopped. I am trying to figure > out where the cache is stored. I need to remove that data before starting > the manager's OSSEC process back. > > Without removing that data, if i start back the manager's ossec process > the 3k count remains the same and the remaining agents do not show up as > active. > > Thanks, > Sandeep. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
