I tried changing the time and ensured that the time is correct on both servers. However, it's still not getting kicked off for some reason. I don't see anything in the ossec.log even with full debugging on. I know there's a slight delay before syscheck kicks off, but it shouldn't be more than 5 minutes. And I've tried updating agent.conf with the <scan_time> to be far in advance. It's just not working for some reason. Any other ideas?
On Thu, Sep 23, 2010 at 5:47 AM, dan (ddp) <[email protected]> wrote: > Replying to a few of your mails in this one. Look for comments inline. :) > > On Wed, Sep 22, 2010 at 3:12 PM, Jeremy Lee <[email protected]> wrote: > > One more thing of interest: I noticed the time, per OSSEC, is two hours > > faster than the system time. I ran date and hwclock and both returned the > > current local time. However, when OSSEC sends alert emails out, it notes > the > > time 2 hours ahead of what the current correct time is. > > > > Why would this be? > > > > The ossec processes are generally chrooted in /var/ossec. To get the > correct time the ossec processes use /var/ossec/etc/localtime. > The system localtime file (generally /etc/localtime) may be a symlink > to the correct timezone file (/usr/share/zoneinfo maybe?). Copy the > file (the /usr/share/zoneinfo/WHATEVER file to /var/ossec/etc and > restart the ossec processes. This should correct the time issue. > > > On Wed, Sep 22, 2010 at 11:29 AM, Jeremy Lee <[email protected]> wrote: > >> > >> I think there's something up with the <scan_day> flag - I was unable to > >> get agent_control to kick off a syscheck until I removed the flag. What > is > >> strange is that it all seemed to be working fine before I started > messing > >> with importing the agent.conf over. I wonder if something got fudged. Is > >> there a 'common' or merged file OSSEC reads when ossec.conf and > agent.conf > >> exist? > >> > > Not currently. There's no easy way to see the final configuration at the > moment. > > >> On Wed, Sep 22, 2010 at 9:53 AM, Jeremy Lee <[email protected]> wrote: > >>> > >>> One other question, if I have <frequency>79200</frequency> in my > >>> ossec.conf, will that conflict with the <scan_time> and <scan_day> in > the > >>> agent.conf? > >>> > > I think (haven't tested, at least not recently) that they will both be > used. So the scan will start at scan_time, as well as every 79200s. > > >>> On Tue, Sep 21, 2010 at 9:44 PM, jplee3 <[email protected]> wrote: > >>>> > >>>> Hey guys, > >>>> > >>>> I've been testing out deploying the agent.conf to machines and am > >>>> having trouble with the syscheck scheduling. My agent.conf looks like > >>>> this: > >>>> > >>>> > >>>> <agent_config> > >>>> <syscheck> > >>>> <scan_on_start>no</scan_on_start> > >>>> <scan_time>17:00</scan_time> > >>>> <scan_day>Tuesday</scan_day> > >>>> > >>>> <directories check_all="yes">/home/app</directories> > >>>> > >>>> </syscheck> > >>>> > >>>> <localfile> > >>>> <log_format>syslog</log_format> > >>>> <location>/home/log1</location> > >>>> </localfile> > >>>> > >>>> > >>>> <localfile> > >>>> <log_format>syslog</log_format> > >>>> <location>/home/log2</location> > >>>> </localfile> > >>>> > >>>> > >>>> </agent_config> > >>>> > >>>> > >>>> I have verified that the dates are correct on the two agent machines > >>>> and the server machine. Syscheck did not kick off at 17:00 today as > >>>> verified in the ossec.log and through agent_control -i 001 and 002. > >>>> Are there issues with agent.conf properly recognizing the "scan_*" > >>>> flags? These obviously work fine in ossec.conf - am I missing > >>>> something? > >>>> > >>>> > >>>> > >>> > >> > > > > > > I think the timezone issue above may be affecting this. Please correct > the timezone and test the scan_time or whatever again. >
