Hi;
It now appears that quite a bit of my initial problems have been caused by
my own impatience. As others have noted, when running syscheck initially,
creates the database of files w/check sums, permissions etc. That,
apparently, takes *A LONG* time lol.
For testing, I have the syscheck frequency set to 15 minutes. Obviously,
that first syscheck build-the-database thing is taking quite a bit longer
than that. I'm able to trace the progress a bit by watching the
/var/ossec/queue/syscheck/syscheck file grow and by tail'ing it
occasionally to see what directory it's hitting.
in the ossec.log file, I saw
2012/08/23 13:34:19 ossec-syscheckd: INFO: Starting syscheck database
(pre-scan).
Is that the line that says it's building the database? Is there a line
that'll get displayed when that's done? Is there any way to find out if
syscheck is actively running/scanning so I don't shoot myself in the foot
again by starting/stopping/updating/zeroing out, any of the other host of
things I did today in my impatience?
The agent_control line simply says when it last ran - not that it's still
running...
# agent_control -i 000
OSSEC HIDS agent_control. Agent information:
Agent ID: 000 (local instance)
Agent Name: ${myhost}.${myco}
IP address: 127.0.0.1
Status: Active/Local
Operating system: Linux ${myhost}.${myco} 2.6.32-279.5.1.el6.x86_6..
Client version: OSSEC HIDS v2.6
Last keep alive: Not available
Syscheck last started at: Thu Aug 23 13:34:19 2012
Rootcheck last started at: Unknown
Thanks for any hints/tips/suggestions.
Doug O'Leary
