[ossec-dev] Re: problem with MAX_AGENTS

[Jeremy Hanmer <jeremy@xxxxxxxxxxxxxxx>]

I had managed to fix it over the weekend.  That's how I knew that  
raising MAX_AGENTS stopped the segfault.  Unfortunately, after  
working fine for about 24 hours, I haven't gotten any more alerts  
since yesterday afternoon.  I'm trying to track down that issue today.


On Oct 30, 2006, at 5:07 PM, Daniel Cid wrote:

> Hi Jeremy,
>
> Ossec shouldn't be segfaulting when the upper limit of agents is  
> reached. I will
> investigate this further later. To solve your problem, just edit the
> file src/headers/defs.h
> and change the value of MAX_AGENTS to something higher (probably  
> 600 or more).
>
> From:
> /* Max limit of 256 agents */
> #define MAX_AGENTS  256
>
> To:
> #define MAX_AGENTS  756
>
> And recompile ossec:
>
> # cd ./src
> # vi headers/defs.h
> # make clean; make all; make build
> # /var/ossec/bin/ossec-control stop
> # cp -pr ../bin/* /var/ossec/bin/
> # /var/ossec/bin/ossec-control start
>
> *you just need to do it on the server.
>
> *btw, let us know how ossec behaves with that large number of agents.
> The maximum
> I tested with was 74 agents.
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 10/30/06, Jeremy Hanmer <jeremy@xxxxxxxxxxxxxxx> wrote:
> > I've got a fairly large ossec installation that I've just set up
> > (currently 420 agents with 1 central server) and I hit a problem with
> > MAX_AGENTS.  With more than 256 agents, ossec-remoted segfaults.  I
> > had to dig through the code to figure out what to raise since nothing
> > gets logged when it crashes.  I tried to add some error handling, but
> > it looks like a lot of places would need checks and I'm not quite
> > comfortable with that just yet.