OSSEC Agent Disconnected - definition
BP9906
what does "Ossec agent disconnected" mean?
The obvious answer is that the agent disconnected temporarily. I get
these alerts from agents off and on, and when the ossec server is very
busy (remoted, monitord, and analysisd). I reviewed ossec.log files on
the agents that disconnect and have found no issue listed. In fact,
agent_control on ossec server shows connected and 'keep alive' date/
time are within a minute or so.
So why get alerts on these? Also, why not get alerts on ossec agent
reconnected?
Would an agent disconnecting also lead to potential events not being
received by the ossec server? I've noticed that select windows events
are not making it to the ossec server, but my EPS (events per second)
is only ~311 for Jan 2012.
Thoughts?
Thank you!
dan (ddp)
> I'm not trying to ask a dumb question for an obvious description, but
> what does "Ossec agent disconnected" mean?
>
I think (but haven't verified) that it means the manager didn't
receive a 3 consecutive keep alives.
> The obvious answer is that the agent disconnected temporarily. I get
> these alerts from agents off and on, and when the ossec server is very
> busy (remoted, monitord, and analysisd). I reviewed ossec.log files on
> the agents that disconnect and have found no issue listed. In fact,
> agent_control on ossec server shows connected and 'keep alive' date/
> time are within a minute or so.
>
> So why get alerts on these? Also, why not get alerts on ossec agent
> reconnected?
>
No idea, I thought there was an event for that.
> Would an agent disconnecting also lead to potential events not being
> received by the ossec server? I've noticed that select windows events
> are not making it to the ossec server, but my EPS (events per second)
> is only ~311 for Jan 2012.
>
Is it always the same events? The communication is UDP, so it's
entirely possible there are missing events.
> Thoughts?
>
> Thank you!