OSSEC server restart and agent re-connect?
1,384 views
Skip to first unread message
jplee3
Aug 3, 2011, 11:47:51 AM8/3/11
to ossec-list
Hi all,
I've been noticing that after I restart the OSSEC server, the Agents
don't seem to re-connect right away. Is this expected behavior? We are
constantly making changes to rules, etc on the server which in turn
also affect active response. I noticed this when I restarted the
server and then tried using agent_control -R to restart some agents -
the command didn't seem to propagate until after I manually restarted
the agent itself.
Do the agents *eventually* reconnect like after 30 minutes (per OSSEC
keepalives)?
On that note, is there a way to change the keepalive timeframe? I
thought I read it was 30mins somewhere. I also seem to recall being
able to modify the source for this, but it would be nice if there were
a way to do it in the configuration files.
Thanks
I've been noticing that after I restart the OSSEC server, the Agents
don't seem to re-connect right away. Is this expected behavior? We are
constantly making changes to rules, etc on the server which in turn
also affect active response. I noticed this when I restarted the
server and then tried using agent_control -R to restart some agents -
the command didn't seem to propagate until after I manually restarted
the agent itself.
Do the agents *eventually* reconnect like after 30 minutes (per OSSEC
keepalives)?
On that note, is there a way to change the keepalive timeframe? I
thought I read it was 30mins somewhere. I also seem to recall being
able to modify the source for this, but it would be nice if there were
a way to do it in the configuration files.
Thanks
Daniel Cid
Aug 3, 2011, 12:21:50 PM8/3/11
to ossec...@googlegroups.com
Yes, when you restart the manager, he will only be able to communicate
back to the agent after
a keep alive is received from it. Since a keep alive is sent every 10
min, during this time frame
you won't be able to send anything to it...
back to the agent after
a keep alive is received from it. Since a keep alive is sent every 10
min, during this time frame
you won't be able to send anything to it...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
Jeremy Lee
Aug 3, 2011, 12:53:58 PM8/3/11
to ossec...@googlegroups.com
Hi Daniel,
How would I go about changing that keep alive if I wanted to?
Thanks,
Jeremy
How would I go about changing that keep alive if I wanted to?
Thanks,
Jeremy
dan (ddp)
Sep 5, 2011, 3:12:32 PM9/5/11
to ossec...@googlegroups.com
src/headers/defs.h
NOTIFY_TIME
NOTIFY_TIME
Bart Nukats
May 14, 2014, 4:37:00 AM5/14/14
to ossec...@googlegroups.com
Hi,
I've noticed today that all agents were disconnected, so I manually ran an agent on a host and the status info is "Running..", been like this for 30 minutes now, tried to send from the server agent control -R ID, but didn't help, any ideas ?
Br
dan (ddp)
May 14, 2014, 8:58:06 AM5/14/14
to ossec...@googlegroups.com
> Br
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Bart Nukats
May 14, 2014, 9:01:39 AM5/14/14
to ossec...@googlegroups.com
Alright,
I found what the issue was, multiple duplicates,
The fix:
go into /var/ossec/queue/rids
pick the agent number which is disconnected, edit it, remove all inside, pick sender_counter, clean everything inside,
service ossec restart,
Worked,
br
Reply all
Reply to author
Forward
0 new messages