Disconnect Alerts

[Doman, Tyler]

Hi,

 

I’ve been running OSSEC for a couple of years now without any significant issues. The server monitors around 200 servers that is a mix of Windows and Unix servers. Recently, OSSEC is alerting me that most, if not all, agents are repeatedly disconnecting and reconnecting. There is no pattern that I’ve been able to notice. The disconnects span anywhere from 2 hours to 7 hours. I suspect there is an issue with OSSEC server. Has anyone encountered this and have suggestions on what I should do? If there’s logs on the server that I can check, please direct me to where those are and what I should look for in the logs.

 

Regards,

 

Tyler Doman, CISSP, CHP

Account Security Officer

Enterprise Security Services

Hewlett Packard

+1 541.360.4028/ Office

+1 503.383.8411/ Mobile 

tyler...@hp.com   

4070 27^th CT SE, Suite 100, Salem, OR  97302

 

[dan (ddp)]

On Fri, Aug 28, 2015 at 11:15 AM, Doman, Tyler <tyler...@hp.com> wrote:
> Hi,
>
>
>
> I’ve been running OSSEC for a couple of years now without any significant
> issues. The server monitors around 200 servers that is a mix of Windows and
> Unix servers. Recently, OSSEC is alerting me that most, if not all, agents
> are repeatedly disconnecting and reconnecting. There is no pattern that I’ve
> been able to notice. The disconnects span anywhere from 2 hours to 7 hours.
> I suspect there is an issue with OSSEC server. Has anyone encountered this
> and have suggestions on what I should do? If there’s logs on the server that
> I can check, please direct me to where those are and what I should look for
> in the logs.
>

/var/ossec/logs/ossec.log
If you don't see anything, try turning debugging on with
`/var/ossec/bin/ossec-control enable debug` and restart the ossec
processes.

>
>
> Regards,
>
>
>
> Tyler Doman, CISSP, CHP
>
> Account Security Officer
>
> Enterprise Security Services
>
> Hewlett Packard
>
> +1 541.360.4028/ Office
>
> +1 503.383.8411/ Mobile
>
> tyler...@hp.com
>
> 4070 27th CT SE, Suite 100, Salem, OR 97302
>
>
>

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Brad Lhotsky]

You might consider tuning the network stack on the OSSEC server to make better
use of your network card. For instance, CentOS 6 is tuned to work best with a
10/100 MB Ethernet card, so if your server is on Gig-E, you might experience
buffer overruns and socket pile-ups especially when syscheckd is running it's
scheduled scans.

Here's where I'd start with Linux sysctl on an OSSEC Server with gigabit
ethernet:

# Core Settings
net.core.netdev_max_backlog = 2500
net.core.rmem_max = 16777216
net.core.rmem_default = 16777216
net.core.wmem_max = 16777216
net.core.wmem_default = 16777216

# TCP Settings (Not necessary for OSSEC performance)
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
net.ipv4.tcp_mem = 8388608 8388608 8388608

# UDP Settings
net.ipv4.udp_rmem = 4096 87380 8388608
net.ipv4.udp_wmem = 4096 87380 8388608
net.ipv4.udp_mem = 8388608 8388608 8388608

Check your network gear for it's utilization. We experienced a similar issue
when a clever system administrator patched our NSS stack to parallel query 20
DNS servers simultaneously. This caused issues with UDP state tracking on the
Juniper firewalls which lead to poor UDP performance everywhere.

>tyler...@hp.com<mailto:tyler...@hp.com>

>4070 27th CT SE, Suite 100, Salem, OR 97302
>

>--
>
>---
>You received this message because you are subscribed to the Google Groups "ossec-list" group.
>To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
>For more options, visit https://groups.google.com/d/optout.

--
Brad Lhotsky
https://github.com/reyjrar
https://speakdeck.com/reyjrar
https://edgeofsanity.net