Ossec Max agents

General Discussion of atomic repo and development projects.

Ask for help here with anything else not covered by other forums.
Salas
New Forum User
New Forum User
Posts: 1
Joined: Mon Jul 28, 2014 3:14 am
Location: Lithuania

Ossec Max agents

Unread post by Salas »

How to increase Ossec max supported agents to more than 256 ?
I'm using CentOS 6.4
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Ossec Max agents

Unread post by scott »

You'd have to rebuild the packages to do it. ASLs packages dont have this limitation, its set to 8092 in ASL.
jasonmg
Forum User
Forum User
Posts: 5
Joined: Thu Oct 09, 2014 12:39 am
Location: USA

Re: Ossec Max agents

Unread post by jasonmg »

Can anyone confirm that it is 8092? I am using ossec-hids-server-2.8.1-47.el6.art.x86_64 on RHEL 6.3. The max open files is set to 10,000. However, remoted is still showing that the max agents is 256.

2014/10/08 21:02:25 ossec-remoted: INFO: Started (pid: 28839).
2014/10/08 21:02:25 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'.
2014/10/08 21:02:25 ossec-remoted(1410): INFO: Reading authentication keys file.
2014/10/08 21:02:25 ossec-remoted(4110): ERROR: Maximum number of agents '254' reached.
2014/10/08 21:02:25 ossec-remoted(1202): ERROR: Configuration error at '/etc/client.keys'. Exiting.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4152
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Ossec Max agents

Unread post by mikeshinn »

What version of ASL do you have installed?
jasonmg
Forum User
Forum User
Posts: 5
Joined: Thu Oct 09, 2014 12:39 am
Location: USA

Re: Ossec Max agents

Unread post by jasonmg »

I am only installing OSSEC via the ossec-hids-server-2.8.1-47.el6.art.x86_64 RPM. Is there a different OSSEC server RPM you get when you install ASL?
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4152
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Ossec Max agents

Unread post by mikeshinn »

Yes. ASLs ossec rpms are different.
jasonmg
Forum User
Forum User
Posts: 5
Joined: Thu Oct 09, 2014 12:39 am
Location: USA

Re: Ossec Max agents

Unread post by jasonmg »

Thank you for your quick reply.

Just to make sure... You are saying the ossec-hids-server rpm located here: http://www5.atomicorp.com/channels/osse ... 6_64/RPMS/ is not the same OSSEC RPM being referred to above that is set to 8092 max agents? Instead it is set to 256?
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4152
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Ossec Max agents

Unread post by mikeshinn »

Correct. ASL uses a different ossec build and a repository.
jasonmg
Forum User
Forum User
Posts: 5
Joined: Thu Oct 09, 2014 12:39 am
Location: USA

Re: Ossec Max agents

Unread post by jasonmg »

I took a look at the spec file in the source RPM (just noticed you had it available). The spec file is setting the max agents to 16384 before it compiles...

# Increase max agents
echo "HEXTRA=-DMAX_AGENTS=16384" >> ./Config.OS
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Ossec Max agents

Unread post by scott »

That was probably changed afterwords, at the moment ossec is built 3 different times (ASL, atomic, and the ossec repo). It makes coordination difficult, one of the changes we're making in OSSEC 2.9 is a big cleanup of the makefiles to support this kind of thing without having to resort to init file hacks like that.
jasonmg
Forum User
Forum User
Posts: 5
Joined: Thu Oct 09, 2014 12:39 am
Location: USA

Re: Ossec Max agents

Unread post by jasonmg »

That will be an excellent improvement. Thanks for replying.

One odd thing though... I re-created the RPMs using that spec file and I still receive the max agents error. Are you aware of anything else (besides max open files not being high enough) that would cause that error? I also verified I see the max agents value being passed during the compile.
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Ossec Max agents

Unread post by scott »

Not off the top of my head. Those have been going through a lot of changes after the makefile-rage that went on in github earlier this week.
Post Reply