On Wed, Sep 26, 2012 at 12:33 PM, Michael Barrett <[email protected]> wrote: > > > Any way to do it from OSSEC?
Not by default. You could setup an AR script to log a specific string to syslog (or run /var/ossec/bin/ossec-control status or whatever), then run that script manually from the manager. If that log message doesn't come in (create an alert), you know it isn't working. Maybe a full_command running /var/ossec/bin/ossec-control status every few minutes... > ____________________________________________ > Michael Barrett | Information Security Analyst - Lead | Mortgage Guaranty > Insurance Corporation > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > 1.888.601.4440 | * [email protected] > > This message is intended for use only by the person(s) addressed above and > may contain privileged and confidential information. Disclosure or use of > this message by any other person is strictly prohibited. If this message is > received in error, please notify the sender immediately and delete this > message. > > > > From: "dan (ddp)" <[email protected]> > To: [email protected] > Date: 09/26/2012 10:11 AM > Subject: Re: [ossec-list] active - running agent status? > Sent by: [email protected] > > ________________________________ > > > > On Wed, Sep 26, 2012 at 11:08 AM, Michael Barrett > <[email protected]> wrote: > > > > I'm trying to verify that my updated agents are working properly > > > > Is there a way to actively query them? > > > > I used to use nagios. > > > > > Not sure what ./agent_control actually does but it seems to come back > > too > > quickly to have actually checked all the agents in real time > > > > > > [root@newman bin]# ./agent_control > > > > OSSEC HIDS agent_control: Control remote agents. > > Available options: > > -h This help message. > > -l List available (active or not) agents. > > -lc List active agents. > > -i <id> Extracts information from an agent. > > -R <id> Restarts agent. > > -r -a Runs the integrity/rootkit checking on all agents > > now. > > -r -u <id> Runs the integrity/rootkit checking on one agent > > now. > > > > -b <ip> Blocks the specified ip address. > > -f <ar> Used with -b, specifies which response to run. > > -L List available active responses. > > -s Changes the output to CSV (comma delimited). > > > > > > [root@newman bin]#./agent_control -lc > > > > > > ID: 812, Name: vw8webtest, IP: 172.24.192.27, Active > > ID: 813, Name: vw8sql2k8test, IP: 172.24.192.13, Active > > ID: 814, Name: vw8defsqlqa, IP: 172.24.193.57, Active > > ID: 815, Name: cvw8captest, IP: 172.24.192.10, Active > > ID: 819, Name: w3vmon, IP: 144.122.218.24, Active > > ID: 820, Name: cvw3essbaset, IP: 172.24.192.39, Active > > ID: 821, Name: w8vrectst, IP: 172.22.200.1, Active > > ID: 823, Name: w3vrecqa, IP: 144.122.219.61, Active > > > > ____________________________________________ > > Michael Barrett | Information Security Analyst - Lead | Mortgage > > Guaranty > > Insurance Corporation > > 270 E. Kilbourn Ave. | Milwaukee, WI 53202 USA | ( 1.414.347.6271 | 7 > > 1.888.601.4440 | * [email protected] > > > > This message is intended for use only by the person(s) addressed above > > and > > may contain privileged and confidential information. Disclosure or use > > of > > this message by any other person is strictly prohibited. If this message > > is > > received in error, please notify the sender immediately and delete this > > message. > >
