Dan, appreciate your response. It turns out my agent.conf didn't have one valid windows directory and one valid registry key... for some reason this disabled syscheck. I have since got it to work by adding the two entries. unfortunatly my client wants an additional 272 entries added and since adding these the agent.conf quit working. I started a new thread about that here: http://groups.google.com/group/ossec-list/t/1b517d8420845056
On Jul 8, 9:04 am, "dan (ddp)" <[email protected]> wrote: > Are you sure the syscheck isn't running and just not finishing or something? > Check the logs to make sure. > > If you change the frequency back to 7200, does it work? > > > > On Wed, Jul 6, 2011 at 1:05 PM, brighamr <[email protected]> wrote: > > We have installed 10 agents and 1 ossec server. the windows 2003 > > agents are working without a problem. on the win2008r2 agents, we > > modified the ossec.conf on the agent to change the syscheck interval > > from 7200 to 3600. Since then the rootchecks fire every 3600, but the > > syschecks haven’t fired at all. I’ve tried to manually force a > > syscheck/rootcheck through agent_control on the server. I’ve also > > updated (cleared) the syscheck database on the server. When issuing > > the command agent_control –lc, it shows all the agents are active. > > When issuing the command agent_control –I 003 –e, it shows the last > > rootcheck as of ten minutes ago but the last syscheck as unknown. > > > Any thoughts, ideas, suggestions?- Hide quoted text - > > - Show quoted text -
