Yes, they all have the same time, Windows and Linux. I'm not sure what you mean by "I assumed you knew what you were doing when you posted" I have been into ossec for all of 1 week with my new job, so I don't know a whole lot about it, other than to install pair to the server, run individual syschecks and the basic commands listed on the site on the Linux side. However, I am primarily a windows person and would love to get the time stamp showing the file change date\time if possible. I will check the source code to see what I can find on how to pull this info. So, you are saying it is a simple change to get this info? I don't want to get too deep into it if it takes a whole lot of work as this would just help me a bit and isn't completely a necessity.
On Tuesday, September 2, 2014 1:35:04 PM UTC-4, dan (ddpbsd) wrote: > > On Tue, Sep 2, 2014 at 1:15 PM, dan (ddp) <[email protected] <javascript:>> > wrote: > > On Tue, Sep 2, 2014 at 1:10 PM, Bonnie Beeler <[email protected] > <javascript:>> wrote: > >> What code? If ossec is supposed to monitor file changes, why wouldn't > it > >> tell you the time the file changed. Am I missing something. It is one > other > >> field to add to the report. Why isn't this done? > >> > > > > Here's the deal. I don't have a way to verify the Windows behavior, so > > I assumed you knew what you were doing when you posted. If it's not > > doing "the right thing," then the code (source code can be found on > > github: https://github.com/ossec/ossec-hids) would probably have to > > change. > > Make the changes, and submit a pull request. > > > > Thinking a bit about it, I'd check to make sure the Windows machines > have the same time (including timezone) as the Linux machines. Check > /var/ossec/localtime as well, to make sure that matches. > > >> On Tuesday, September 2, 2014 7:55:30 AM UTC-4, dan (ddpbsd) wrote: > >>> > >>> On Fri, Aug 29, 2014 at 5:42 PM, Bonnie Beeler <[email protected]> > wrote: > >>> > When I run syscheck_control -i on a specific agent it is displaying > the > >>> > incorrect time. It is displaying the time the report ran for the > Linux > >>> > boxes and for the Windows boxes it is displaying some random time > >>> > sometimes > >>> > time stamped after the time the report runs. > >>> > > >>> > > >>> > > >>> > The files were modified on 8/28/14 and it is displaying 8/29/14. > And > >>> > when > >>> > ossec-syscheckd runs it reports that the file changed after the time > >>> > stamp > >>> > that the report ran. That definitely isn't possible. > >>> > > >>> > So, I am wondering if there is something I can do for it to: write > the > >>> > date > >>> > modified to the database and then when the report is ran it displays > the > >>> > time the file was modified and not the time the report ran or > whatever > >>> > it is > >>> > actually displaying. > >>> > > >>> > >>> No, not without modifying the code. > >>> > >>> > > >>> > > >>> > > >>> > Thanks, > >>> > > >>> > Bon > >>> > > >>> > -- > >>> > > >>> > --- > >>> > You received this message because you are subscribed to the Google > >>> > Groups > >>> > "ossec-list" group. > >>> > To unsubscribe from this group and stop receiving emails from it, > send > >>> > an > >>> > email to [email protected]. > >>> > For more options, visit https://groups.google.com/d/optout. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected] <javascript:>. > >> For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
