For those that use OSSEC regularly, you probably notice that although
when you run agent_control or list_agents, it seems as though they
show "available" or "connected" but you havent gotten anything from
them.
Enter problem, how do you know you're actually getting something from
those machines?
Wrote a couple of quick script to help with this.
Hope someone finds this useful.
#!/bin/bash
DATA=`agent_control -l | sed 's/.*Name: //g' | sed 's/,.*//g'`
SUBFILTER=$1
RESULT=""
echo "" > missing_data.txt
echo "" > data.txt
for a in $DATA;
do
RESULT=""
if [ -d $SUBFILTER ]; then
RESULT=`cat /var/ossec/logs/alerts/alerts.log | grep -m 1 \($a
\)`
else
RESULT=`cat /var/ossec/logs/alerts/alerts.log | grep
$SUBFILTER | grep -m 1 \($a\)`
fi
COUNT=`echo -n $RESULT | wc -m`
echo $a
echo $RESULT
echo $COUNT
if [ $COUNT -eq 0 ]; then
echo $a >> missing_data.txt
else
echo $RESULT >> data.txt
fi
done
