Can an OSSEC manager have more than 256 agents

Can an OSSEC manager have more than 256 agents?

By default OSSEC limits the number of agents to 256 per manager. This limitation is set in the code, but can be modified at compile time. Depending on the event load, a manager running on modern hardware can handle many more agents. Some users have more than 1000 agents on a single manager. To change the maximum number of agents, cd into the src directory and run the following command:

make setmaxagents

You should be prompted for the number of agents to allow.

One issue you may face after changing this setting is the number of files allowed to be open for a single user. The users ossec and ossec r both open at least 1 file (syscheck database and rids file) per agent. Raising this limit is operating system specific.

Some Linux distributions support a /etc/security/limits.conf. Set the limits to be at least a few files above what the max agents is set to.

        
         ossec
                    soft    nofile          2048

        
         ossec
                    hard    nofile          2048

        
         ossec
        r           soft    nofile          2048

        
         ossec
        r           hard    nofile          2048

默认256，机器多就改。