Hi,
Agents should send a keepalive each 10 minutes (600 seconds) by default,
and this should be enough. But you can go down that time at the agent's
ossec.conf:
<ossec_config>
<client>
<server-ip>1.2.3.4</server-ip>
*<notify_time>60</notify_time>*
</client>
If you see any agent disconnected, check its ossec.log file.
On the other hand, as Dan says, the manager will discard two identical
consecutive messages, so you should generate different messages for the
logs (using a random string or the date).
If you think that there could be network congestion, you may try to connect
using TCP, adding, at the agent's ossec.conf:
<ossec_config>
<client>
<server-ip>1.2.3.4</server-ip>
*<protocol>tcp</protocol>*
</client>
And, on the manager's ossec.conf:
<ossec_config>
<remote>
<connection>secure</connection>
*<protocol>tcp</protocol>*
</remote>
Please test it and write back to us if this doesn't solve the problem. All
feedback is welcome.
Hope it helps.
Best regards.
On Friday, December 9, 2016 at 6:30:08 AM UTC+1, dan (ddpbsd) wrote:
>
>
>
> On Dec 8, 2016 4:41 PM, "Chris Decker" <ch...@chris-decker.com
> <javascript:>> wrote:
>
> All,
>
> I have an OSSEC instance (running the latest/greatest Wuzuh code cloned
> from GitHub) that has about 1k active hosts. I've noticed recently that
> hosts are flipping back and forth between *Active* and *Disconnected*.
>
>
> Perhaps the manager is too busy? I can't remember the host limit offhand,
> but I believe ossec limits the number of agents to a number smaller than
> 1000.
>
>
> I've also noticed that not all of the log messages from "*Active" *hosts
> are being received by the Manager. For example, I have an agent that
> generates the same log message every second. I have debug enabled on the
> Agent and I can see logcollector reading each message, but only *some* of
> the messages are received on the Manager (I monitored it for awhile and
> it's not that the messages show up later due to network congestion--I don't
> see the messages ever being received). I tried disabling the agent ID
> checks on both the Manager and Agent but that didn't have any impact.
>
>
> Ossec will discard some repeated messages. I forget the timeframe offhand
> though.
>
>
>
> I suspect there is a misconfiguration or limit I am running into on my
> Manager running RHEL 7, but I haven't been able to track it down. I did a
> simple netcat test between the same two hosts and there was no lag in
> transmissions.
>
> Any suggestions/thoughts from the community?
>
>
>
>
> Thanks,
> Chris
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com <javascript:>.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
