Last time agent connected to server

150 views
Skip to first unread message

Derek Day

unread,
Aug 2, 2016, 1:52:05 PM8/2/16
to ossec-list
Is there a simple way to show the last time an agent connected to the server? I'm looking for a way to identify agents that haven't been used for say 2 months. 

Pedro Sanchez

unread,
Aug 2, 2016, 2:14:51 PM8/2/16
to ossec...@googlegroups.com
Hi, try checking the last keep alive or the last modification date of agent-info file.

/var/ossec/bin/agent_control -i 005

Output:

   Agent ID:   005
   Agent Name: agent-ubuntu
   IP address: 10.0.0.xx
   Status:     Disconnected
   Operating system:    Linux vpc-agent-ubuntu-public 3.13.0-44-generic...
   Client version:      OSSEC HIDS v2.8 / e0eda63a04ca5c24e749c713bfd4541b
   Last keep alive:     Wed Jun 22 19:20:07 2016
   Syscheck last started  at: Wed Jun 22 17:20:48 2016
   Rootcheck last started at: Tue Jun 21 23:32:33 2016

Or:

$ ls -lah /var/ossec/queue/agent-info/vpc-agent-ubuntu*

-rw-r--r-- 1 ossecr ossec 152 Jun 22 19:20 /var/ossec/queue/agent-info/vpc-agent-ubuntu

Best regards,

Pedro S.
 


On Tue, Aug 2, 2016 at 10:52 AM, Derek Day <dday...@gmail.com> wrote:
Is there a simple way to show the last time an agent connected to the server? I'm looking for a way to identify agents that haven't been used for say 2 months. 

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Victor Fernandez

unread,
Aug 2, 2016, 2:37:11 PM8/2/16
to ossec-list
Hi Derek.

You can do that by watching the modification time (with ls or stat) of the agent's information file at /var/ossec/queue/agent-info. For example, if the agent name is "myagent" and the IP is "1.2.3.4", the file will be "/var/ossec/queue/agent-info/myagent-1.2.3.4".

When an agent sends a keep-alive message (every 10 minutes), its corresponding file gets updated. In fact, the agent-control utility reads internally the modification time of those files in order to know whether agents are connected or disconnected. If it's been more than half hour since the last update time, OSSEC assumes that the agent is disconnected.

This is an example to list the agents that have not connected since 2 months (60 days):

$ find /var/ossec/agent-info/* -mtime +60 -ls

Kind regards.

Pedro Sanchez

unread,
Aug 2, 2016, 2:44:26 PM8/2/16
to ossec...@googlegroups.com
Thanks Victor.

Quick fix to your useful command, it is missing queue folder:

$ find /var/ossec/queue/agent-info/* -mtime +60 -ls

 

--

Derek Day

unread,
Aug 2, 2016, 2:48:05 PM8/2/16
to ossec...@googlegroups.com
This is perfect, exactly what i was looking for. Thank you very much for the help!

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/dgQ_fsIR1vw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

Chanti Naani

unread,
Aug 10, 2016, 8:29:16 PM8/10/16
to ossec-list
Thanks Pedro and Victor.


On Tuesday, August 2, 2016 at 10:52:05 AM UTC-7, Derek Day wrote:
Reply all
Reply to author
Forward
0 new messages