Thanks I did find it that did help, I had two more questions not sure if I should start another thread:
I had frequency set on the agents to: <frequency>7200</frequency> I looked in the ossec.log and it never kicked off, and it has been 15 hours since the last scan finished. I restarted the agent and it kicked off but any idea what might not start it? Second question: The scans seem to take a very long time, I ran it and it takes 4 hours on one of my web servers. Is it the size of the files or the number of files that determines the scan and is there anyway to speed it up? Thanks On Wednesday, June 7, 2017 at 5:21:01 AM UTC-4, Jesus Linares wrote: > > Review the ossec.conf of the agent 1027. You should see a log for > starting/ending rootcheck and syscheck. > > I hope it helps. > > On Tuesday, June 6, 2017 at 9:17:11 PM UTC+2, John Kondur wrote: >> >> Thanks but unfortunately all it shows is the following: >> >> >> OSSEC HIDS agent_control. Agent information: >> Agent ID: 1027 >> Agent Name: server1 >> IP address: any/any >> Status: Active >> >> Operating system: Linux 4.4. >> Client version: OSSEC HIDS v2.8.3 / >> 6322ee12ea9a05951f97923a8341a01a >> Last keep alive: Tue Jun 6 19:10:59 2017 >> >> Syscheck last started at: Tue Jun 6 18:19:23 2017 >> Rootcheck last started at: Tue Jun 6 18:41:54 2017 >> >> >> It just shows last started, but never shows when it completes. >> >> >> On Tuesday, June 6, 2017 at 4:42:52 AM UTC-4, Jesus Linares wrote: >>> >>> Hi John, >>> >>> I think it should appear in */var/ossec/bin/agent_control -i 1027. *Also, >>> you can review the ossec.conf of your agent. >>> >>> Regards. >>> >>> On Monday, June 5, 2017 at 6:24:14 PM UTC+2, John Kondur wrote: >>>> >>>> I just started to use ossec, and was doing some testing by making some >>>> changes in a file in a directory, and then I run from the server: >>>> >>>> >>>> /var/ossec/bin/agent_control -r -a >>>> >>>> >>>> if I do a query on the agent: >>>> >>>> >>>> >>>> /var/ossec/bin/agent_control -i 1027 >>>> >>>> >>>> >>>> It will show last time it started but never shows when it completes? >>>> Is there a process or way to check to see if it completed or am I not >>>> waiting long enough? So far I am not seeing ossec pick up that the file >>>> changes. >>>> >>>> Thanks >>>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
