I mis-spoke when I said error, I meant to say notice. I am still wondering why it didn't use the variables in agent.conf. There is nothing in either the server or agent logs except showing some errors on the database side that I dont think are related.
2017/01/17 15:09:55 ossec-dbd(5203): ERROR: Error executing query 'SELECT id FROM location WHERE name = 'mvsc1lx071->ossec-monitord' AND server_id = '1' LIMIT 1'. Error: 'Lost connection to MySQL server during query'. 2017/01/17 15:09:55 ossec-dbd(5209): INFO: Closing connection to database. 2017/01/17 15:09:55 ossec-dbd(5210): INFO: Attempting to reconnect to database. Here I have turned up the verbosity in the ossec-dbd: 2017/01/17 15:16:16 ossec-dbd(5204): ERROR: Database error. Unable to run query. 2017/01/17 15:16:16 ossec-dbd(5203): ERROR: Error executing query 'INSERT INTO alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid) VALUES ('38714', '1', '5502','1484691376', '107', '0', '0', '0', '0', '1484691373.909744')'. Error: 'Duplicate entry '38714-1' for key 'PRIMARY''. 2017/01/17 15:16:16 ossec-dbd(5209): INFO: Closing connection to database. 2017/01/17 15:16:16 ossec-dbd(5210): INFO: Attempting to reconnect to database. 2017/01/17 15:16:17 ossec-dbd: Connected to database 'ossec' at '10.69.10.121'. 2017/01/17 15:16:17 ossec-dbd(5204): ERROR: Database error. Unable to run query. 2017/01/17 15:16:20 ossec-rootcheck: INFO: Starting rootcheck scan. 2017/01/17 15:17:37 ossec-dbd(5203): ERROR: Error executing query 'SELECT id FROM location WHERE name = '(dvsc1lx0044) 10.69.65.44->syscheck' AND server_id = '1' LIMIT 1'. Error: 'Lost connection to MySQL server during query'. 2017/01/17 15:17:37 ossec-dbd(5209): INFO: Closing connection to database. 2017/01/17 15:17:37 ossec-dbd(5210): INFO: Attempting to reconnect to database. 2017/01/17 15:17:37 ossec-dbd: Connected to database 'ossec' at '10.69.10.121'. On Tuesday, January 17, 2017 at 2:27:04 PM UTC-7, perezbox wrote: > > Hey Sean > > What error are you referring to? > > I see: 2017/01/17 14:10:12 ossec-agentd: INFO: Using notify time: 600 and > max time to reconnect: 1800 which is a notice, not an error I think... > > I'm curious, do you know why they are showing as disconnected? Have you > checked ossec.log for errors on both the agent and server? What do the logs > say? > > Tony > > On Tue, Jan 17, 2017 at 1:11 PM, Sean Roe <sea...@gmail.com <javascript:>> > wrote: > >> Hi All, >> >> I am running ossec 2.8.3 in a test environment and have come across a >> problem where I have agents listed as disconnected. I have tried setting >> in the agent.conf the following stanza and pushing it out to the agents via >> /var/ossec/etc/shared >> >> <agent_config> >> <client> >> <server-ip>10.14.10.17</server-ip> >> <notify_time>45</notify_time> >> <time-reconnect>60</time-reconnect> >> </client> >> >> blah, blah, blah (rest of config) >> >> I thought by shortening the notify and time-reconnect variables I would >> be able to keep the agents connected. When I do a restart of each of the >> agents I get the following error: >> >> [root@dvsc1lx0020 ~]# /var/ossec/bin/ossec-control restart >> Killing ossec-logcollector .. >> Killing ossec-syscheckd .. >> Killing ossec-agentd .. >> Killing ossec-execd .. >> OSSEC HIDS v2.8.3 Stopped >> Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)... >> Started ossec-execd... >> 2017/01/17 14:10:12 ossec-agentd: INFO: Using notify time: 600 and max >> time to reconnect: 1800 >> Started ossec-agentd... >> Started ossec-logcollector... >> >> >> So am I missing something here? >> >> Thanks, >> Sean >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.