On Thu, Aug 23, 2012 at 3:33 PM, dkoleary <[email protected]> wrote: > Hi; > > It now appears that quite a bit of my initial problems have been caused by > my own impatience. As others have noted, when running syscheck initially, > creates the database of files w/check sums, permissions etc. That, > apparently, takes *A LONG* time lol. > > For testing, I have the syscheck frequency set to 15 minutes. Obviously, > that first syscheck build-the-database thing is taking quite a bit longer > than that. I'm able to trace the progress a bit by watching the > /var/ossec/queue/syscheck/syscheck file grow and by tail'ing it occasionally > to see what directory it's hitting. > > in the ossec.log file, I saw > > 2012/08/23 13:34:19 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > > Is that the line that says it's building the database? Is there a line > that'll get displayed when that's done? Is there any way to find out if > syscheck is actively running/scanning so I don't shoot myself in the foot > again by starting/stopping/updating/zeroing out, any of the other host of > things I did today in my impatience? > > The agent_control line simply says when it last ran - not that it's still > running... > > # agent_control -i 000 > > OSSEC HIDS agent_control. Agent information: > Agent ID: 000 (local instance) > Agent Name: ${myhost}.${myco} > IP address: 127.0.0.1 > Status: Active/Local > > Operating system: Linux ${myhost}.${myco} 2.6.32-279.5.1.el6.x86_6.. > Client version: OSSEC HIDS v2.6 > Last keep alive: Not available > > Syscheck last started at: Thu Aug 23 13:34:19 2012 > Rootcheck last started at: Unknown > > Thanks for any hints/tips/suggestions. > > Doug O'Leary
top
