An agent is connected if the manager received a keep alive on the past 30 minutes. The agent sends (by default) a keep alive message every 10 minutes, everytime manager get a new keep alive, update an internal file for that particular agent, if the agent after three tries (30 minutes) don't reach the manager, manager will identify that agent as "Disconnected".
agent_control and, in general, disconnected/connected status is calculated by getting last modification date of agent-info files located in: */var/ossec/queue/agent-info/* If the difference between an agent-info file and current time is greater than 30 minutes, the manager "switch" the status of that agent to Disconnected. One funny trick is to update manually all the files in agent-info folder, then run agent_control -lc and look how all your agents seem "Active" haha. Regards, Pedro Sanchez. On Tue, May 16, 2017 at 3:33 PM, Akash Munjal <akashmunjal...@gmail.com> wrote: > Hi Dan, > > I want know, how ossec manager found that agent is disconnected. > Not by " /var/ossec/bin/agent_control -lc " this command. > I mean by their connection(or communication). > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
