Page 1 of 1
Ossec Max agents
Posted: Mon Jul 28, 2014 3:17 am
by Salas
How to increase Ossec max supported agents to more than 256 ?
I'm using CentOS 6.4
Re: Ossec Max agents
Posted: Tue Jul 29, 2014 8:01 pm
by scott
You'd have to rebuild the packages to do it. ASLs packages dont have this limitation, its set to 8092 in ASL.
Re: Ossec Max agents
Posted: Thu Oct 09, 2014 12:56 am
by jasonmg
Can anyone confirm that it is 8092? I am using ossec-hids-server-2.8.1-47.el6.art.x86_64 on RHEL 6.3. The max open files is set to 10,000. However, remoted is still showing that the max agents is 256.
2014/10/08 21:02:25 ossec-remoted: INFO: Started (pid: 28839).
2014/10/08 21:02:25 ossec-remoted(4111): INFO: Maximum number of agents allowed: '256'.
2014/10/08 21:02:25 ossec-remoted(1410): INFO: Reading authentication keys file.
2014/10/08 21:02:25 ossec-remoted(4110): ERROR: Maximum number of agents '254' reached.
2014/10/08 21:02:25 ossec-remoted(1202): ERROR: Configuration error at '/etc/client.keys'. Exiting.
Re: Ossec Max agents
Posted: Thu Oct 09, 2014 4:18 pm
by mikeshinn
What version of ASL do you have installed?
Re: Ossec Max agents
Posted: Thu Oct 09, 2014 5:11 pm
by jasonmg
I am only installing OSSEC via the ossec-hids-server-2.8.1-47.el6.art.x86_64 RPM. Is there a different OSSEC server RPM you get when you install ASL?
Re: Ossec Max agents
Posted: Thu Oct 09, 2014 5:45 pm
by mikeshinn
Yes. ASLs ossec rpms are different.
Re: Ossec Max agents
Posted: Thu Oct 09, 2014 6:24 pm
by jasonmg
Thank you for your quick reply.
Just to make sure... You are saying the ossec-hids-server rpm located here:
http://www5.atomicorp.com/channels/osse ... 6_64/RPMS/ is not the same OSSEC RPM being referred to above that is set to 8092 max agents? Instead it is set to 256?
Re: Ossec Max agents
Posted: Fri Oct 10, 2014 2:12 pm
by mikeshinn
Correct. ASL uses a different ossec build and a repository.
Re: Ossec Max agents
Posted: Fri Oct 10, 2014 3:53 pm
by jasonmg
I took a look at the spec file in the source RPM (just noticed you had it available). The spec file is setting the max agents to 16384 before it compiles...
# Increase max agents
echo "HEXTRA=-DMAX_AGENTS=16384" >> ./Config.OS
Re: Ossec Max agents
Posted: Fri Oct 10, 2014 4:09 pm
by scott
That was probably changed afterwords, at the moment ossec is built 3 different times (ASL, atomic, and the ossec repo). It makes coordination difficult, one of the changes we're making in OSSEC 2.9 is a big cleanup of the makefiles to support this kind of thing without having to resort to init file hacks like that.
Re: Ossec Max agents
Posted: Fri Oct 10, 2014 7:39 pm
by jasonmg
That will be an excellent improvement. Thanks for replying.
One odd thing though... I re-created the RPMs using that spec file and I still receive the max agents error. Are you aware of anything else (besides max open files not being high enough) that would cause that error? I also verified I see the max agents value being passed during the compile.
Re: Ossec Max agents
Posted: Sat Oct 11, 2014 8:24 pm
by scott
Not off the top of my head. Those have been going through a lot of changes after the makefile-rage that went on in github earlier this week.