>
> Requests from the server for the agents to run syscheck updates are
> not immediate. I've seen them take 30min before.
> In the agent's logs that you posted the following line means syscheck
> scan has started:
> 2010/07/28 14:07:09 ossec-syscheckd: INFO: Starting syscheck database
> (pre-scan).
>
> After that line you should see something like:
> 2009/10/12 16:39:03 ossec-syscheckd: INFO: Finished creating syscheck
> database (pre-scan completed).
> 2009/10/12 16:41:04 ossec-syscheckd: INFO: Starting syscheck scan
> (forwarding database).
> 2009/10/12 16:44:27 ossec-syscheckd: INFO: Ending syscheck scan
> (forwarding database).
>
Ahh ha, well i've not seen the finished line at all and its been what 16 odd
hours, and its not like its a huge server with masses of files either. I assume
ossec is able to run a scan against the '/' root partition? Effectively the
whole server?
> You shouldn't need the following in the agent.conf, these are only for
> the server:
> <auto_ignore>no</auto_ignore>
> <alert_new_files>yes</alert_new_files>
>
> For the agent_config name="001" and 002, are those actually the agent
> names? They look like the agent IDs, but I can't be sure.
Yea i know i don't need them there, but at the time i put them in both places
to make sure i've got all the bases covered...
I can see i've gone wrong there then, they have to be set by name not by the
agent ID. I'll change this now, Thanks very much! Not sure why I thought it
would be agent ID really
