On Dec 8, 2016 4:41 PM, "Chris Decker" <ch...@chris-decker.com> wrote:
All, I have an OSSEC instance (running the latest/greatest Wuzuh code cloned from GitHub) that has about 1k active hosts. I've noticed recently that hosts are flipping back and forth between *Active* and *Disconnected*. Perhaps the manager is too busy? I can't remember the host limit offhand, but I believe ossec limits the number of agents to a number smaller than 1000. I've also noticed that not all of the log messages from "*Active" *hosts are being received by the Manager. For example, I have an agent that generates the same log message every second. I have debug enabled on the Agent and I can see logcollector reading each message, but only *some* of the messages are received on the Manager (I monitored it for awhile and it's not that the messages show up later due to network congestion--I don't see the messages ever being received). I tried disabling the agent ID checks on both the Manager and Agent but that didn't have any impact. Ossec will discard some repeated messages. I forget the timeframe offhand though. I suspect there is a misconfiguration or limit I am running into on my Manager running RHEL 7, but I haven't been able to track it down. I did a simple netcat test between the same two hosts and there was no lag in transmissions. Any suggestions/thoughts from the community? Thanks, Chris -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
