[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    Re: [ossec-list] OSSEC 2.3: All agents disconnected
From:       "--[ UxBoD ]--" <uxbod () splatnix ! net>
Date:       2009-12-24 11:31:29
Message-ID: 21672815.425.1261654289486.JavaMail.root () office ! splatnix ! net
[Download RAW message or body]

----- "--[ UxBoD ]--" <uxbod@splatnix.net> wrote:

> ----- "--[ UxBoD ]--" <uxbod@splatnix.net> wrote:
> 
> > ----- "Michael Starks" <ossec-list@michaelstarks.com> wrote:
> > 
> > > > Well it appears to not be port scanning which brings down the
> > > connections :(
> > > > 
> > > > All agents disconnected again today at exactly the same time as
> > > yesterday.  I have checked the crontabs on the server and nothing
> > > appears to be running at that time.
> > > > 
> > > > I started all daemons up with -d -d but no debugging
> information,
> > > regarding the disconnections, appeared in the log.
> > > > 
> > > > How can I enable further debugging to ascertain why this is
> > > happening please ????
> > > 
> > > If it happened at the same time, maybe it has something to do
> with
> > a
> > > syscheck or rootcheck scan.
> > 
> > Perhaps; though why would it not be picked up in the debugging ?
> > 
> > Best Regards,
> 
> Well it happened again this morning, at exactly the same time, though
> this time I had tcpdump running.  It would appear at the time they all
> disconnected a Window 2K3 server from port 1275 connect to the OSSEC
> manager.  At that point all the agents disconnected.
> 
> Thoughts ?

The problem has been resolved :) it was due to the vserver hashify functionality .. \
Have added /usr/local/ossec to the exclude file and all agents stay connected now.  \
Very confused as to why that happens though as no other vservers have ossec \
installed.

Thanks,


[prev in list] [next in list] [prev in thread] [next in thread]