Agent disconnected line doesn't show agent name

[mstarks01]

Ossec agent started has a subject line like this:

3 - Ossec agent started. - (agent_name) 1.2.3.4

Ossec agent disconnected has a subject line like this:

3 - Ossec agent disconnected. - manager_name

Agent disconnected alerts should match the agent started alerts, providing the useful agent name in the subject line.

[awiddersheim]

I am confused. Is this a code issue or a decoder/rules issue?

[mstarks01]

This is a code issue.

[awiddersheim]

OK. I can try to look into fixing this but I'm not familiar enough with these log messages. Do they happen on the master, agent or both? Is there a way to reproduce these easily. Have you looked at all yet in the code to maybe help me figure out where these might be coming from?

Sorry for all the questions. Just trying to understand the problem a bit better before I embark on the journey to fix. Thanks in advance.

[mstarks01]

This falls into the "oh, here's something I have noticed again and better just log in and document it before I forget about it" category. Many of my tickets are like that. My reasoning is that even if I don't have the time to properly look into the issue, someone may get an itch and decide to take it on. :)

[mstarks01]

And.. I didn't really answer your question.

These are simply agent disconnected alerts from the manager. With the "agent started" alert, it's easy to see what agent is affected. But when an agent is disconnected, the agent name is not in the subject line. It seems that these should be consistent.

[awiddersheim]

Right. I agree the logging should be more consistent. No arguments there. Does the agent log that disconnected message or the master or both?

Just trying to track down where in the code those messages get generated so I can fix. Also, having a way to easily reproduce so I know I fixed.