manual syscheck execution and frequency

1,276 views
Skip to first unread message

vtrack

unread,
Aug 26, 2013, 7:46:28 AM8/26/13
to ossec...@googlegroups.com
Hi,

I tried yr manually run syscheck on an Agent as below, however the "last started date" is showing as for the previous run. I have enabled active response for both server and agent. What could be causing this? Didn't syscheck scan run successfully? 

Also, wanted to know minimum syscheck frequency time I can specify for. I have mentioned 600 on ossec server and agent to run few quick tests.. That should run syscheck scan every 10 mins, correct? I see there are syscheck frequency tag on both ossec server and agent. If server pushes syscheck on the agent, what is agent syscheck frequency used for?  

# /var/ossec/bin/agent_control -i 002

OSSEC HIDS agent_control. Agent information:
   Agent ID:   002
   Agent Name: agent-vm1
   IP address: 192.168.0.10
   Status:     Active

   Operating system:    Linux agent-vm1 2.6.32-71.e..
   Client version:      OSSEC HIDS v2.7
   Last keep alive:     Mon Aug 26 04:25:44 2013

   Syscheck last started  at: Mon Aug 26 03:58:54 2013
   Rootcheck last started at: Mon Aug 26 03:44:31 2013

/var/ossec/bin/agent_control -r -u 002

OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck on agent: 002


/var/ossec/bin/agent_control -i 002

OSSEC HIDS agent_control. Agent information:
   Agent ID:   002
   Agent Name: agent-vm1
   IP address: 192.168.0.10
   Status:     Active

   Operating system:    Linux agent-vm1 2.6.32-71.e..
   Client version:      OSSEC HIDS v2.7
   Last keep alive:     Mon Aug 26 04:25:44 2013

   Syscheck last started  at: Mon Aug 26 03:58:54 2013
   Rootcheck last started at: Mon Aug 26 03:44:31 2013


Thanks!

vtrack

unread,
Aug 27, 2013, 12:58:10 AM8/27/13
to ossec...@googlegroups.com
Even though I keep 600 secs for syscheck frequency (on both server and agent ossec.conf files), I don't see syscheck scan happening every 10 mins. The syscheck scan does occur and every 30 mins.

Can someone help me on this issue please? I would like to know if I am running a wrong config for all these issues.  

dan (ddp)

unread,
Aug 30, 2013, 11:39:01 AM8/30/13
to ossec...@googlegroups.com
How long after the previous scan _finishes_ does it take for the new
scan to start?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

vtrack

unread,
Sep 4, 2013, 1:19:57 AM9/4/13
to ossec...@googlegroups.com

Hi,

I could find only syscheck scan "start" time.. Where do I check to find the "finish" time for each syscheck run? The scan is initiated every 30 mins. i.e if a scan starts are 12:00, the next scan would start at 12:30 and then at 1:00 and so on. 

BTW i am checking the start time given from agent-control -i <id>

vtrack

unread,
Sep 4, 2013, 5:49:40 AM9/4/13
to ossec...@googlegroups.com

I checked ossec logs and found the scan start and finish time.. The scan was completed in about 5 mins. log snip given below.

2013/08/26 02:28:50 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2013/08/26 02:28:50 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
2013/08/26 02:33:01 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
2013/08/26 02:33:13 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database).

dan (ddp)

unread,
Sep 4, 2013, 9:51:01 AM9/4/13
to ossec...@googlegroups.com
And how long after this is the next scan started?

vtrack

unread,
Sep 5, 2013, 5:42:40 AM9/5/13
to ossec...@googlegroups.com
These are the latest one I see for syscheck scan start and end time. Each scan takes about 4 to 5 mins to complete. And next scan starts in about 15 mins. 

2013/09/04 21:42:37 ossec-syscheckd: INFO: Starting syscheck scan.
2013/09/04 21:46:56 ossec-syscheckd: INFO: Ending syscheck scan.

2013/09/04 22:01:56 ossec-syscheckd: INFO: Starting syscheck scan.
2013/09/04 22:06:15 ossec-syscheckd: INFO: Ending syscheck scan.


dan (ddp)

unread,
Sep 5, 2013, 9:40:09 AM9/5/13
to ossec...@googlegroups.com
On Thu, Sep 5, 2013 at 5:42 AM, vtrack <tijo.t...@gmail.com> wrote:
> These are the latest one I see for syscheck scan start and end time. Each
> scan takes about 4 to 5 mins to complete. And next scan starts in about 15
> mins.
>

That may be as close as you'll be able to get. You could try setting
it lower to see if that gets you close to 10 minutes.

> 2013/09/04 21:42:37 ossec-syscheckd: INFO: Starting syscheck scan.
> 2013/09/04 21:46:56 ossec-syscheckd: INFO: Ending syscheck scan.
>
> 2013/09/04 22:01:56 ossec-syscheckd: INFO: Starting syscheck scan.
> 2013/09/04 22:06:15 ossec-syscheckd: INFO: Ending syscheck scan.
>
>
Reply all
Reply to author
Forward
0 new messages