On Tue, Sep 2, 2014 at 1:15 PM, dan (ddp) <[email protected]> wrote: > On Tue, Sep 2, 2014 at 1:10 PM, Bonnie Beeler <[email protected]> wrote: >> What code? If ossec is supposed to monitor file changes, why wouldn't it >> tell you the time the file changed. Am I missing something. It is one other >> field to add to the report. Why isn't this done? >> > > Here's the deal. I don't have a way to verify the Windows behavior, so > I assumed you knew what you were doing when you posted. If it's not > doing "the right thing," then the code (source code can be found on > github: https://github.com/ossec/ossec-hids) would probably have to > change. > Make the changes, and submit a pull request. >
Thinking a bit about it, I'd check to make sure the Windows machines have the same time (including timezone) as the Linux machines. Check /var/ossec/localtime as well, to make sure that matches. >> On Tuesday, September 2, 2014 7:55:30 AM UTC-4, dan (ddpbsd) wrote: >>> >>> On Fri, Aug 29, 2014 at 5:42 PM, Bonnie Beeler <[email protected]> wrote: >>> > When I run syscheck_control -i on a specific agent it is displaying the >>> > incorrect time. It is displaying the time the report ran for the Linux >>> > boxes and for the Windows boxes it is displaying some random time >>> > sometimes >>> > time stamped after the time the report runs. >>> > >>> > >>> > >>> > The files were modified on 8/28/14 and it is displaying 8/29/14. And >>> > when >>> > ossec-syscheckd runs it reports that the file changed after the time >>> > stamp >>> > that the report ran. That definitely isn't possible. >>> > >>> > So, I am wondering if there is something I can do for it to: write the >>> > date >>> > modified to the database and then when the report is ran it displays the >>> > time the file was modified and not the time the report ran or whatever >>> > it is >>> > actually displaying. >>> > >>> >>> No, not without modifying the code. >>> >>> > >>> > >>> > >>> > Thanks, >>> > >>> > Bon >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
