I've confirmed that the <scan_day> flag is the one causing the issues I'm seeing. I still haven't testing <scan_time> in agent.conf but it definitely is working in ossec.conf (with <scan_day> turned off/commented out).
On Fri, Sep 24, 2010 at 12:29 PM, Jeremy Lee <[email protected]> wrote: > I have the 2.4.1 agent installed. > > I'm testing the <scan_day> flag again on a machine and hopefully it will > kick off in about 5 minutes! I'm doing this only in ossec.conf now just to > verify it's fully working. > > I was hoping to successfully do this using agent.conf but have not been > successful. > > Thanks! > jeremy > > > On Fri, Sep 24, 2010 at 12:00 PM, Daniel Cid <[email protected]> wrote: > >> Hi Jeremy, >> >> Which version of ossec do you have in the agent? We fixed some bugs >> related >> to the scan_day/scan_time on v2.4. >> >> Thanks, >> >> On Fri, Sep 24, 2010 at 1:29 PM, Jeremy Lee <[email protected]> wrote: >> > I moved back to using ossec.conf and had <scan_day> set but it still >> > wouldn't kick off. Tried again today and removed <scan_day> and syscheck >> > kicked off this time. Is the <scan_day> flag case sensitive? Once the >> > syscheck finishes I'm going to add <scan_day> back in again and test >> more. >> > Hopefully it works at least for the ossec.conf >> > >> > I'll have to keep testing with agent.conf when I get more time. >> > >> > On Thu, Sep 23, 2010 at 1:58 PM, dan (ddp) <[email protected]> wrote: >> >> >> >> No other ideas at the moment. I'll try setting it up to see what >> happens. >> >> >> >> On Thu, Sep 23, 2010 at 2:55 PM, Jeremy Lee <[email protected]> wrote: >> >> > I tried changing the time and ensured that the time is correct on >> both >> >> > servers. However, it's still not getting kicked off for some reason. >> I >> >> > don't >> >> > see anything in the ossec.log even with full debugging on. I know >> >> > there's a >> >> > slight delay before syscheck kicks off, but it shouldn't be more than >> 5 >> >> > minutes. And I've tried updating agent.conf with the <scan_time> to >> be >> >> > far >> >> > in advance. It's just not working for some reason. Any other ideas? >> >> > >> > >> > >> > >
