As I continue to troubleshoot the different Ossec for Splunk I come across very odd behavior. Such as in the "Agent Status Over Time" will give me results for:
This of course throws off the status numbers and I'm betting is a symptom of a larger issue.
Has anyone seen this before? I have 2 independent/different Ossec/Splunk servers each with 900+ active agents and they both act the same way.
Please, please, please, suggestions/hints/ideas.
I am using OSSEC 2.6, with Splunk version 4.2.3, build 105575, and Splunk for OSSEC 1.1.88 on SuSE Linux 10.3.