Ossec Max agents
Ossec Max agents
How to increase Ossec max supported agents to more than 256 ?
I'm using CentOS 6.4
I'm using CentOS 6.4
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Ossec Max agents
You'd have to rebuild the packages to do it. ASLs packages dont have this limitation, its set to 8092 in ASL.
Re: Ossec Max agents
Can anyone confirm that it is 8092? I am using ossec-hids-server-2.8.1-47.el6.art.x86_64 on RHEL 6.3. The max open files is set to 10,000. However, remoted is still showing that the max agents is 256.
2014/10/08 21:02:25 ossec-remoted: INFO: Started (pid: 28839).
2014/10/08 21:02:25 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'.
2014/10/08 21:02:25 ossec-remoted(1410): INFO: Reading authentication keys file.
2014/10/08 21:02:25 ossec-remoted(4110): ERROR: Maximum number of agents '254' reached.
2014/10/08 21:02:25 ossec-remoted(1202): ERROR: Configuration error at '/etc/client.keys'. Exiting.
2014/10/08 21:02:25 ossec-remoted: INFO: Started (pid: 28839).
2014/10/08 21:02:25 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'.
2014/10/08 21:02:25 ossec-remoted(1410): INFO: Reading authentication keys file.
2014/10/08 21:02:25 ossec-remoted(4110): ERROR: Maximum number of agents '254' reached.
2014/10/08 21:02:25 ossec-remoted(1202): ERROR: Configuration error at '/etc/client.keys'. Exiting.
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4152
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Ossec Max agents
What version of ASL do you have installed?
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Ossec Max agents
I am only installing OSSEC via the ossec-hids-server-2.8.1-47.el6.art.x86_64 RPM. Is there a different OSSEC server RPM you get when you install ASL?
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4152
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Ossec Max agents
Yes. ASLs ossec rpms are different.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Ossec Max agents
Thank you for your quick reply.
Just to make sure... You are saying the ossec-hids-server rpm located here: http://www5.atomicorp.com/channels/osse ... 6_64/RPMS/ is not the same OSSEC RPM being referred to above that is set to 8092 max agents? Instead it is set to 256?
Just to make sure... You are saying the ossec-hids-server rpm located here: http://www5.atomicorp.com/channels/osse ... 6_64/RPMS/ is not the same OSSEC RPM being referred to above that is set to 8092 max agents? Instead it is set to 256?
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4152
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: Ossec Max agents
Correct. ASL uses a different ossec build and a repository.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone
Re: Ossec Max agents
I took a look at the spec file in the source RPM (just noticed you had it available). The spec file is setting the max agents to 16384 before it compiles...
# Increase max agents
echo "HEXTRA=-DMAX_AGENTS=16384" >> ./Config.OS
# Increase max agents
echo "HEXTRA=-DMAX_AGENTS=16384" >> ./Config.OS
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Ossec Max agents
That was probably changed afterwords, at the moment ossec is built 3 different times (ASL, atomic, and the ossec repo). It makes coordination difficult, one of the changes we're making in OSSEC 2.9 is a big cleanup of the makefiles to support this kind of thing without having to resort to init file hacks like that.
Re: Ossec Max agents
That will be an excellent improvement. Thanks for replying.
One odd thing though... I re-created the RPMs using that spec file and I still receive the max agents error. Are you aware of anything else (besides max open files not being high enough) that would cause that error? I also verified I see the max agents value being passed during the compile.
One odd thing though... I re-created the RPMs using that spec file and I still receive the max agents error. Are you aware of anything else (besides max open files not being high enough) that would cause that error? I also verified I see the max agents value being passed during the compile.
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Ossec Max agents
Not off the top of my head. Those have been going through a lot of changes after the makefile-rage that went on in github earlier this week.