I mis-spoke when I said error, I meant to say notice. I am still wondering
why it didn't use the variables in agent.conf. There is nothing in either
the server or agent logs except showing some errors on the database side
that I dont think are related.
2017/01/17 15:09:55 ossec-dbd(5203): ERROR: Error executing query 'SELECT
id FROM location WHERE name = 'mvsc1lx071->ossec-monitord' AND server_id =
'1' LIMIT 1'. Error: 'Lost connection to MySQL server during query'.
2017/01/17 15:09:55 ossec-dbd(5209): INFO: Closing connection to database.
2017/01/17 15:09:55 ossec-dbd(5210): INFO: Attempting to reconnect to
database.
Here I have turned up the verbosity in the ossec-dbd:
2017/01/17 15:16:16 ossec-dbd(5204): ERROR: Database error. Unable to run
query.
2017/01/17 15:16:16 ossec-dbd(5203): ERROR: Error executing query 'INSERT
INTO
alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid)
VALUES ('38714', '1', '5502','1484691376', '107', '0', '0', '0', '0',
'1484691373.909744')'. Error: 'Duplicate entry '38714-1' for key 'PRIMARY''.
2017/01/17 15:16:16 ossec-dbd(5209): INFO: Closing connection to database.
2017/01/17 15:16:16 ossec-dbd(5210): INFO: Attempting to reconnect to
database.
2017/01/17 15:16:17 ossec-dbd: Connected to database 'ossec' at
'10.69.10.121'.
2017/01/17 15:16:17 ossec-dbd(5204): ERROR: Database error. Unable to run
query.
2017/01/17 15:16:20 ossec-rootcheck: INFO: Starting rootcheck scan.
2017/01/17 15:17:37 ossec-dbd(5203): ERROR: Error executing query 'SELECT
id FROM location WHERE name = '(dvsc1lx0044) 10.69.65.44->syscheck' AND
server_id = '1' LIMIT 1'. Error: 'Lost connection to MySQL server during
query'.
2017/01/17 15:17:37 ossec-dbd(5209): INFO: Closing connection to database.
2017/01/17 15:17:37 ossec-dbd(5210): INFO: Attempting to reconnect to
database.
2017/01/17 15:17:37 ossec-dbd: Connected to database 'ossec' at
'10.69.10.121'.
On Tuesday, January 17, 2017 at 2:27:04 PM UTC-7, perezbox wrote:
>
> Hey Sean
>
> What error are you referring to?
>
> I see: 2017/01/17 14:10:12 ossec-agentd: INFO: Using notify time: 600 and
> max time to reconnect: 1800 which is a notice, not an error I think...
>
> I'm curious, do you know why they are showing as disconnected? Have you
> checked ossec.log for errors on both the agent and server? What do the logs
> say?
>
> Tony
>
> On Tue, Jan 17, 2017 at 1:11 PM, Sean Roe <sea...@gmail.com <javascript:>>
> wrote:
>
>> Hi All,
>>
>> I am running ossec 2.8.3 in a test environment and have come across a
>> problem where I have agents listed as disconnected. I have tried setting
>> in the agent.conf the following stanza and pushing it out to the agents via
>> /var/ossec/etc/shared
>>
>> <agent_config>
>> <client>
>> <server-ip>10.14.10.17</server-ip>
>> <notify_time>45</notify_time>
>> <time-reconnect>60</time-reconnect>
>> </client>
>>
>> blah, blah, blah (rest of config)
>>
>> I thought by shortening the notify and time-reconnect variables I would
>> be able to keep the agents connected. When I do a restart of each of the
>> agents I get the following error:
>>
>> [root@dvsc1lx0020 ~]# /var/ossec/bin/ossec-control restart
>> Killing ossec-logcollector ..
>> Killing ossec-syscheckd ..
>> Killing ossec-agentd ..
>> Killing ossec-execd ..
>> OSSEC HIDS v2.8.3 Stopped
>> Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)...
>> Started ossec-execd...
>> 2017/01/17 14:10:12 ossec-agentd: INFO: Using notify time: 600 and max
>> time to reconnect: 1800
>> Started ossec-agentd...
>> Started ossec-logcollector...
>>
>>
>> So am I missing something here?
>>
>> Thanks,
>> Sean
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+...@googlegroups.com <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
