OSSEC Appliance Max Agents

Support/Development for OSSEC
TheCeryx
New Forum User
New Forum User
Posts: 2
Joined: Fri Nov 13, 2020 5:12 am
Location: Cologne

OSSEC Appliance Max Agents

Unread post by TheCeryx »

Hello,

how can i configure max agents in the Ossec Appliance?

Best Regards
User avatar
cponton
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 61
Joined: Fri Oct 09, 2020 9:41 am

Re: OSSEC Appliance Max Agents

Unread post by cponton »

By default OSSEC limits the number of agents to 256 per manager. This limitation is set in the code, but can be modified at compile time. Depending on the event load, a manager running on modern hardware can handle many more agents. Some users have more than 1000 agents on a single manager. To change the maximum number of agents, cd into the src directory and run the following command:

make setmaxagents

You should be prompted for the number of agents to allow.

One issue you may face after changing this setting is the number of files allowed to be open for a single user. The users ossec and ossecr both open at least 1 file (syscheck database and rids file) per agent. Raising this limit is operating system specific.

Some Linux distributions support a /etc/security/limits.conf. Set the limits to be at least a few files above what the max agents is set to.

ossec soft nofile 2048
ossec hard nofile 2048
ossecr soft nofile 2048
ossecr hard nofile 2048
TheCeryx
New Forum User
New Forum User
Posts: 2
Joined: Fri Nov 13, 2020 5:12 am
Location: Cologne

Re: OSSEC Appliance Max Agents

Unread post by TheCeryx »

Hello cpenton,

thank you for the answer. But we use the Ossec Appliance, can i set the value in limits.conf or must be reinstall the ossec service?

thx for answer
Post Reply