Replying to a few of your mails in this one. Look for comments inline. :) On Wed, Sep 22, 2010 at 3:12 PM, Jeremy Lee <[email protected]> wrote: > One more thing of interest: I noticed the time, per OSSEC, is two hours > faster than the system time. I ran date and hwclock and both returned the > current local time. However, when OSSEC sends alert emails out, it notes the > time 2 hours ahead of what the current correct time is. > > Why would this be? >
The ossec processes are generally chrooted in /var/ossec. To get the correct time the ossec processes use /var/ossec/etc/localtime. The system localtime file (generally /etc/localtime) may be a symlink to the correct timezone file (/usr/share/zoneinfo maybe?). Copy the file (the /usr/share/zoneinfo/WHATEVER file to /var/ossec/etc and restart the ossec processes. This should correct the time issue. > On Wed, Sep 22, 2010 at 11:29 AM, Jeremy Lee <[email protected]> wrote: >> >> I think there's something up with the <scan_day> flag - I was unable to >> get agent_control to kick off a syscheck until I removed the flag. What is >> strange is that it all seemed to be working fine before I started messing >> with importing the agent.conf over. I wonder if something got fudged. Is >> there a 'common' or merged file OSSEC reads when ossec.conf and agent.conf >> exist? >> Not currently. There's no easy way to see the final configuration at the moment. >> On Wed, Sep 22, 2010 at 9:53 AM, Jeremy Lee <[email protected]> wrote: >>> >>> One other question, if I have <frequency>79200</frequency> in my >>> ossec.conf, will that conflict with the <scan_time> and <scan_day> in the >>> agent.conf? >>> I think (haven't tested, at least not recently) that they will both be used. So the scan will start at scan_time, as well as every 79200s. >>> On Tue, Sep 21, 2010 at 9:44 PM, jplee3 <[email protected]> wrote: >>>> >>>> Hey guys, >>>> >>>> I've been testing out deploying the agent.conf to machines and am >>>> having trouble with the syscheck scheduling. My agent.conf looks like >>>> this: >>>> >>>> >>>> <agent_config> >>>> <syscheck> >>>> <scan_on_start>no</scan_on_start> >>>> <scan_time>17:00</scan_time> >>>> <scan_day>Tuesday</scan_day> >>>> >>>> <directories check_all="yes">/home/app</directories> >>>> >>>> </syscheck> >>>> >>>> <localfile> >>>> <log_format>syslog</log_format> >>>> <location>/home/log1</location> >>>> </localfile> >>>> >>>> >>>> <localfile> >>>> <log_format>syslog</log_format> >>>> <location>/home/log2</location> >>>> </localfile> >>>> >>>> >>>> </agent_config> >>>> >>>> >>>> I have verified that the dates are correct on the two agent machines >>>> and the server machine. Syscheck did not kick off at 17:00 today as >>>> verified in the ossec.log and through agent_control -i 001 and 002. >>>> Are there issues with agent.conf properly recognizing the "scan_*" >>>> flags? These obviously work fine in ossec.conf - am I missing >>>> something? >>>> >>>> >>>> >>> >> > > I think the timezone issue above may be affecting this. Please correct the timezone and test the scan_time or whatever again.
