Hi Derek. You can do that by watching the modification time (with ls or stat) of the agent's information file at /var/ossec/queue/agent-info. For example, if the agent name is "myagent" and the IP is "1.2.3.4", the file will be " /var/ossec/queue/agent-info/myagent-1.2.3.4".
When an agent sends a keep-alive message (every 10 minutes), its corresponding file gets updated. In fact, the agent-control utility reads internally the modification time of those files in order to know whether agents are connected or disconnected. If it's been more than half hour since the last update time, OSSEC assumes that the agent is disconnected. This is an example to list the agents that have not connected since 2 months (60 days): $ find /var/ossec/agent-info/* -mtime +60 -ls Kind regards. On Tuesday, August 2, 2016 at 10:52:05 AM UTC-7, Derek Day wrote: > > Is there a simple way to show the last time an agent connected to the > server? I'm looking for a way to identify agents that haven't been used for > say 2 months. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
