One more thing of interest: I noticed the time, per OSSEC, is two hours faster than the system time. I ran date and hwclock and both returned the current local time. However, when OSSEC sends alert emails out, it notes the time 2 hours ahead of what the current correct time is.
Why would this be? On Wed, Sep 22, 2010 at 11:29 AM, Jeremy Lee <[email protected]> wrote: > I think there's something up with the <scan_day> flag - I was unable to get > agent_control to kick off a syscheck until I removed the flag. What is > strange is that it all seemed to be working fine before I started messing > with importing the agent.conf over. I wonder if something got fudged. Is > there a 'common' or merged file OSSEC reads when ossec.conf and agent.conf > exist? > > > On Wed, Sep 22, 2010 at 9:53 AM, Jeremy Lee <[email protected]> wrote: > >> One other question, if I have <frequency>79200</frequency> in my >> ossec.conf, will that conflict with the <scan_time> and <scan_day> in the >> agent.conf? >> >> >> On Tue, Sep 21, 2010 at 9:44 PM, jplee3 <[email protected]> wrote: >> >>> Hey guys, >>> >>> I've been testing out deploying the agent.conf to machines and am >>> having trouble with the syscheck scheduling. My agent.conf looks like >>> this: >>> >>> >>> <agent_config> >>> <syscheck> >>> <scan_on_start>no</scan_on_start> >>> <scan_time>17:00</scan_time> >>> <scan_day>Tuesday</scan_day> >>> >>> <directories check_all="yes">/home/app</directories> >>> >>> </syscheck> >>> >>> <localfile> >>> <log_format>syslog</log_format> >>> <location>/home/log1</location> >>> </localfile> >>> >>> >>> <localfile> >>> <log_format>syslog</log_format> >>> <location>/home/log2</location> >>> </localfile> >>> >>> >>> </agent_config> >>> >>> >>> I have verified that the dates are correct on the two agent machines >>> and the server machine. Syscheck did not kick off at 17:00 today as >>> verified in the ossec.log and through agent_control -i 001 and 002. >>> Are there issues with agent.conf properly recognizing the "scan_*" >>> flags? These obviously work fine in ossec.conf - am I missing >>> something? >>> >>> >>> >>> >> >
