We have installed 10 agents and 1 ossec server. the windows 2003 agents are working without a problem. on the win2008r2 agents, we modified the ossec.conf on the agent to change the syscheck interval from 7200 to 3600. Since then the rootchecks fire every 3600, but the syschecks haven’t fired at all. I’ve tried to manually force a syscheck/rootcheck through agent_control on the server. I’ve also updated (cleared) the syscheck database on the server. When issuing the command agent_control –lc, it shows all the agents are active. When issuing the command agent_control –I 003 –e, it shows the last rootcheck as of ten minutes ago but the last syscheck as unknown.
Any thoughts, ideas, suggestions?
