OSSEC 2.8.1 - notify_time + time-reconnect
346 views
Skip to first unread message
Robert Micallef
Apr 2, 2015, 5:22:26 AM4/2/15
to ossec...@googlegroups.com
Hi,
I am trying to get the OSSEC server to generate alerts sooner when the agent gets disconnected. As far as I can tell, this behavior should be built in to OSSEC v2.8.1.
I tried in the agent adding the following:
<client>
<server-ip>192.168.xxx.xxx</server-ip>
<notify_time>60</notify_time>
<time-reconnect>90</time-reconnect>
</client>
This made no difference. The server generated the disconnected agent alert after about 30 minutes. I read somewhere that the formula is (NOTIFY_TIME * 3) + 30 which would be 210 seconds so 3.5 minutes (still way less that 30 minutes).
In the documentation there is no mention where in the server to configure the agent disconnected timeout. Even if I was doubtful I tried anyway adding the following in the server ossec,conf.
<client>
<notify_time>60</notify_time>
<time-reconnect>90</time-reconnect>
</client>
As expected this made no difference.
Anyone can explain how notify_time + time-reconnect work? From the documentation, I can see that you can configure the agent to send a keep alive every notify_time seconds and to reconnect if disconnected every time-reconnect seconds. It doesn't mention anywhere where you can configure the server to mark an agent as disconnected.
Can anyone help?
Thanks,
Robert
I am trying to get the OSSEC server to generate alerts sooner when the agent gets disconnected. As far as I can tell, this behavior should be built in to OSSEC v2.8.1.
I tried in the agent adding the following:
<client>
<server-ip>192.168.xxx.xxx</server-ip>
<notify_time>60</notify_time>
<time-reconnect>90</time-reconnect>
</client>
This made no difference. The server generated the disconnected agent alert after about 30 minutes. I read somewhere that the formula is (NOTIFY_TIME * 3) + 30 which would be 210 seconds so 3.5 minutes (still way less that 30 minutes).
In the documentation there is no mention where in the server to configure the agent disconnected timeout. Even if I was doubtful I tried anyway adding the following in the server ossec,conf.
<client>
<notify_time>60</notify_time>
<time-reconnect>90</time-reconnect>
</client>
As expected this made no difference.
Anyone can explain how notify_time + time-reconnect work? From the documentation, I can see that you can configure the agent to send a keep alive every notify_time seconds and to reconnect if disconnected every time-reconnect seconds. It doesn't mention anywhere where you can configure the server to mark an agent as disconnected.
Can anyone help?
Thanks,
Robert
dan (ddp)
Apr 2, 2015, 8:01:25 AM4/2/15
to ossec...@googlegroups.com
looking at it I don't think it would be too hard of a change, if
you're interested.
Submit any pull requests to https://github.com/ossec/ossec-hids
> Thanks,
> Robert
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Robert Micallef
Apr 6, 2015, 10:24:16 AM4/6/15
to ossec...@googlegroups.com
Thanks for the reply. I created a pull request. I hope I chose the right options. I chose Stable as base and master to compare.
What are notify_time and time_reconnect currently used for then? Wouldn't the agents automatically try to reconnect in case of a problem?
What are notify_time and time_reconnect currently used for then? Wouldn't the agents automatically try to reconnect in case of a problem?
Reply all
Reply to author
Forward
0 new messages