Disconnected Agents

[Sean Roe]

Hi All,

I am running ossec 2.8.3 in a test environment and have come across a problem where I have agents listed as disconnected.  I have tried setting in the agent.conf the following stanza and pushing it out to the agents via /var/ossec/etc/shared 

<agent_config>

  <client>

    <server-ip>10.14.10.17</server-ip>

    <notify_time>45</notify_time>

    <time-reconnect>60</time-reconnect>

  </client>

 blah, blah, blah (rest of config)

I thought by shortening the notify and time-reconnect variables I would be able to keep the agents connected.  When I do a restart of each of the agents I get the following error:

[root@dvsc1lx0020 ~]# /var/ossec/bin/ossec-control restart

Killing ossec-logcollector ..

Killing ossec-syscheckd ..

Killing ossec-agentd ..

Killing ossec-execd ..

OSSEC HIDS v2.8.3 Stopped

Starting OSSEC HIDS v2.8.3 (by Trend Micro Inc.)...

Started ossec-execd...

2017/01/17 14:10:12 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800

Started ossec-agentd...

Started ossec-logcollector...

So am I missing something here?

Thanks,

Sean

[Tony Perez]

Hey Sean

What error are you referring to? 

I see: 2017/01/17 14:10:12 ossec-agentd: INFO: Using notify time: 600 and max time to reconnect: 1800 which is a notice, not an error I think... 

I'm curious, do you know why they are showing as disconnected? Have you checked ossec.log for errors on both the agent and server? What do the logs say?

Tony

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Sean Roe]

I looked at the logs on the ossec server and there are lots of these errors but I dont think they are related:

017/01/17 14:46:08 ossec-dbd(5203): ERROR: Error executing query 'INSERT INTO data(id, server_id, user, full_log) VALUES ('38672', '1', '(null)', 'ossec: Agent disconnected: `dvsc1lx1051-10.69.73.51`.') '. Error: 'Lost connection to MySQL server during query'.

2017/01/17 14:46:08 ossec-dbd(5209): INFO: Closing connection to database.

2017/01/17 14:46:08 ossec-dbd(5210): INFO: Attempting to reconnect to database.

2017/01/17 14:46:08 ossec-dbd: Connected to database 'ossec' at 'ppdc1lx0111'.

2017/01/17 14:46:08 ossec-dbd(5204): ERROR: Database error. Unable to run query.

2017/01/17 14:48:08 ossec-dbd(5203): ERROR: Error executing query 'INSERT INTO data(id, server_id, user, full_log) VALUES ('38675', '1', '(null)', 'ossec: Agent disconnected: `dvsc1lx0043-10.69.65.43`.') '. Error: 'Lost connection to MySQL server during query'.

2017/01/17 14:48:08 ossec-dbd(5209): INFO: Closing connection to database.

2017/01/17 14:48:08 ossec-dbd(5210): INFO: Attempting to reconnect to database.

2017/01/17 14:48:08 ossec-dbd: Connected to database 'ossec' at 'ppdc1lx0111'.

2017/01/17 14:48:08 ossec-dbd(5204): ERROR: Database error. Unable to run query.

Sean

[Sean Roe]

I mis-spoke when I said error, I meant to say notice.  I am still wondering why it didn't use the variables in agent.conf.  There is nothing in either the server or agent logs except showing some errors on the database side that I dont think are related.

2017/01/17 15:09:55 ossec-dbd(5203): ERROR: Error executing query 'SELECT id FROM location WHERE name = 'mvsc1lx071->ossec-monitord' AND server_id = '1' LIMIT 1'. Error: 'Lost connection to MySQL server during query'.

2017/01/17 15:09:55 ossec-dbd(5209): INFO: Closing connection to database.

2017/01/17 15:09:55 ossec-dbd(5210): INFO: Attempting to reconnect to database.

Here I have turned up the verbosity in the ossec-dbd:

2017/01/17 15:16:16 ossec-dbd(5204): ERROR: Database error. Unable to run query.

2017/01/17 15:16:16 ossec-dbd(5203): ERROR: Error executing query 'INSERT INTO alert(id,server_id,rule_id,timestamp,location_id,src_ip,src_port,dst_ip,dst_port,alertid) VALUES ('38714', '1', '5502','1484691376', '107', '0', '0', '0', '0', '1484691373.909744')'. Error: 'Duplicate entry '38714-1' for key 'PRIMARY''.

2017/01/17 15:16:16 ossec-dbd(5209): INFO: Closing connection to database.

2017/01/17 15:16:16 ossec-dbd(5210): INFO: Attempting to reconnect to database.

2017/01/17 15:16:17 ossec-dbd: Connected to database 'ossec' at '10.69.10.121'.

2017/01/17 15:16:17 ossec-dbd(5204): ERROR: Database error. Unable to run query.

2017/01/17 15:16:20 ossec-rootcheck: INFO: Starting rootcheck scan.

2017/01/17 15:17:37 ossec-dbd(5203): ERROR: Error executing query 'SELECT id FROM location WHERE name = '(dvsc1lx0044) 10.69.65.44->syscheck' AND server_id = '1' LIMIT 1'. Error: 'Lost connection to MySQL server during query'.

2017/01/17 15:17:37 ossec-dbd(5209): INFO: Closing connection to database.

2017/01/17 15:17:37 ossec-dbd(5210): INFO: Attempting to reconnect to database.

2017/01/17 15:17:37 ossec-dbd: Connected to database 'ossec' at '10.69.10.121'.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.