Hi,
I have been using Ossec for quite a while and we decided to upgrade the version (2.7.1) to 2.8.3 and that was relatively successful except for the fact that it pulled a number on my Ossec.conf by creating indent problems and adding open brackets in the wrong area but anyway it works. My issue is that for the moment our client will not update the OSSEC agents and wish to keep the 2.7.1 , I have not seen any documentation that would indicate a compatibility issue however I noticed that no matter what I do , the agents will end up disconnecting. They will start out all active and then after 20 minutes or so they will all be disconnected except for a small minority.
When I performed the install I have set the maximum number of agents to 4096 because the client has about … I would say close to 3000 agents, furthermore the installation did go well however I suspect that the agent.conf file in the shared folder got messed up due to this update being very significant. I have been working on this issue for at least three days and I am no longer certain where to look.
I would like to specify that I have already tried to erase the RIDS while Ossec Is stop (server) and when I start it back up again the same issue occurs. Now I am hoping the solution will not be to erase the rids from the client as it would be a long process for our customer.
Thank you,
Alexandre Laquerre
Analyste Sécurité
----------------------------------------------------------------------------------------
LINKBYNET
Performance | Innovation | Qualité
----------------------------------------------------------------------------------------
Suivez-nous sur les médias sociaux !
-
-
-
![]()
1255 Place Phillips, Suite 700,
Montréal, QC H3B 3G1
Standard : +1 800 258 0820
Pôle Sécurité : +1 514 667 0554
Web : www.linkbynet.com

Avant d'imprimer cet e-mail, pensez à l'environnement.
LINKBYNET, 1er hébergeur des environnements en haute disponibilité – Source 01net|IPLabel
On Apr 5, 2016 12:03 PM, "Alexandre Laquerre" <laquerre....@gmail.com> wrote:
>
> Hi ,
> I have created a gmail account which may make it easier anyway. So i noticed that when i updated the server 2.8.3 everything seem to be good however now the agents are almost all disconnected then 20 minutes later they are all basically 50 /50.
>
> I am getting a lot of duplicates issues or invalid ID. When considering that we have around 2-3k agents what would be the best solution ?
>
Try upgrading an agent thatcurrently has issues to 2.8.3 to see if the issues continue. Using mismatched versions isn't really supported.
> Thank you,
>
>
> On Tuesday, April 5, 2016 at 9:21:18 AM UTC-4, Alexandre LAQUERRE wrote:
>>
>> Hi,
>>
>>
>>
>> I have been using Ossec for quite a while and we decided to upgrade the version (2.7.1) to 2.8.3 and that was relatively successful except for the fact that it pulled a number on my Ossec.conf by creating indent problems and adding open brackets in the wrong area but anyway it works. My issue is that for the moment our client will not update the OSSEC agents and wish to keep the 2.7.1 , I have not seen any documentation that would indicate a compatibility issue however I noticed that no matter what I do , the agents will end up disconnecting. They will start out all active and then after 20 minutes or so they will all be disconnected except for a small minority.
>>
>>
>>
>> When I performed the install I have set the maximum number of agents to 4096 because the client has about … I would say close to 3000 agents, furthermore the installation did go well however I suspect that the agent.conf file in the shared folder got messed up due to this update being very significant. I have been working on this issue for at least three days and I am no longer certain where to look.
>>
>>
>>
>> I would like to specify that I have already tried to erase the RIDS while Ossec Is stop (server) and when I start it back up again the same issue occurs. Now I am hoping the solution will not be to erase the rids from the client as it would be a long process for our customer.
>>
>>
>>
>> Thank you,
>>
>>
>>
>> Alexandre Laquerre
>>
>> Analyste Sécurité
>>
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Thank you very much for the information,
I was able to convince our customer to deploy the new version update in order to limit the downtime and well he is going to install 10 or 20 machines in order to see if it works or not.
----------------------------------------------------------------------------------------
LINKBYNET
Performance | Innovation | Qualité
----------------------------------------------------------------------------------------
Suivez-nous sur les médias sociaux !
1255 Place Phillips, Suite 700, Montréal, QC H3B 3G1
Standard : +1 800 258 0820
Pôle Sécurité : +1 514 667 0554
Web : www.linkbynet.com
Thank you very much for the information,
I was able to convince our customer to deploy the new version update in order to limit the downtime and well he is going to install 10 or 20 machines in order to see if it works or not.
Thank you,
Alexandre Laquerre
Analyste Sécurité
From: Kat [mailto:uncom...@gmail.com]
Sent: Tuesday, April 12, 2016 9:52 AM
To: ossec-list <ossec...@googlegroups.com>
Cc: Alexandre LAQUERRE <a.laq...@linkbynet.com>
Subject: Re: Ossec Agent 2.71 Keeps disconnecting from Ossec server 2.8.3
I have seen this as well, and what I found seemed to be related to encryption being used on 2.8.3 vs the 2.7 packages. As Santi suggested, also removing the rids for the agents allows it to connect. I would, however, strongly suggest keeping them within the same release, and it avoids many of the problems observed.
Kat
On Tuesday, April 5, 2016 at 8:21:18 AM UTC-5, Alexandre LAQUERRE wrote:Hi,
I have been using Ossec for quite a while and we decided to upgrade the version (2.7.1) to 2.8.3 and that was relatively successful except for the fact that it pulled a number on my Ossec.conf by creating indent problems and adding open brackets in the wrong area but anyway it works. My issue is that for the moment our client will not update the OSSEC agents and wish to keep the 2.7.1 , I have not seen any documentation that would indicate a compatibility issue however I noticed that no matter what I do , the agents will end up disconnecting. They will start out all active and then after 20 minutes or so they will all be disconnected except for a small minority.
When I performed the install I have set the maximum number of agents to 4096 because the client has about … I would say close to 3000 agents, furthermore the installation did go well however I suspect that the agent.conf file in the shared folder got messed up due to this update being very significant. I have been working on this issue for at least three days and I am no longer certain where to look.
I would like to specify that I have already tried to erase the RIDS while Ossec Is stop (server) and when I start it back up again the same issue occurs. Now I am hoping the solution will not be to erase the rids from the client as it would be a long process for our customer.
Thank you,
Alexandre Laquerre
Analyste Sécurité