I have a few more questions regarding admin triggered updates of files monitored by syscheck.
What would be the "correct" procedure to update the syscheck database without getting alerts? Does syscheck_update create alerts or is it a tool that is designed for updating the syscheck db without alerts when updates are applied? If it is, would the following procedure be the way to handle updates? 1) trigger a run of syscheck with agent_control on all hosts that are going to be updated (to avoid missing changes that happened between last run of syscheck and the syscheck_update). OSSEC will send notificiations for files changed during that time period. 2) apply the software updates on the hosts 3) run syscheck_update for these hosts. Kind regards, Oscar On Fri, Mar 5, 2010 at 11:34 AM, Mike Sievers <[email protected]>wrote: > I startet /var/ossec/bin/syscheck_update -u local at 11 o'clock, but > no alert till now (11:30) :-( > > On 26 Feb., 16:56, "dan (ddp)" <[email protected]> wrote: > > For a local installation you should be able to just use: > > /var/ossec/bin/syscheck_update -u local > > That should fire off a syscheck scan to update the db. Not sure why I > > didn't think of that originally. > > > > As far as active response is concerned, I'm not sure why that isn't > > working for you. > > "agent_control -R <id>" doesn't seem to work for me, but > > "agent_control -r -u 000" doesn't complain. > > I'd consider removing ossec and re-installing to see if that helps > > (I'm using the latest snapshot available at > > ossec.net/files/snapshots/). > > > > On Thu, Feb 25, 2010 at 7:09 AM, Mike Sievers > > > > <[email protected]> wrote: > > > Info: this is a local installation > > > Agent ID: 000 (local instance) >
