Re: [ossec-list] Agent_control Syscheck/rootcheck last ended.

[Jeremy Lee]

Anybody else seeing this?

On Wed, Oct 27, 2010 at 11:10 AM, jplee3 <jpl...@gmail.com> wrote:

> Hey all,
>
> I seem to be having issues with agent_control with the -e flag
> producing accurate reports. It seems the Syscheck last ended time is
> always off:
>
>  Syscheck last started at:  Wed Oct 27 01:17:08 2010
>   Syscheck last ended   at:  Tue Oct 26 02:35:01 2010
>   Rootcheck last started at: Wed Oct 27 01:10:01 2010
>   Rootcheck last ended   at: Wed Oct 27 01:17:08 2010
>
>
> When I check the logs I see this:
>
> 2010/10/26 01:14:50 ossec-rootcheck: INFO: Starting rootcheck scan.
> 2010/10/26 01:21:48 ossec-rootcheck: INFO: Ending rootcheck scan.
> 2010/10/26 01:21:48 ossec-syscheckd: INFO: Starting syscheck scan.
> 2010/10/26 02:35:01 ossec-syscheckd: INFO: Ending syscheck scan.
>
> 2010/10/27 01:10:01 ossec-rootcheck: INFO: Starting rootcheck scan.
> 2010/10/27 01:17:08 ossec-rootcheck: INFO: Ending rootcheck scan.
> 2010/10/27 01:17:08 ossec-syscheckd: INFO: Starting syscheck scan.
> 2010/10/27 02:30:47 ossec-syscheckd: INFO: Ending syscheck scan.
>
>
> So it seems like it's not properly getting the latest "Ending syscheck
> scan" for some reason.
>
> The exact command I am running is "agent_control -i 001 -e"
> This occurs for most of my agents. A few seem to be OK but there are
> also a few that seem to be stuck reading ended Syschecks from over a
> week ago!
>
>
>   Syscheck last started at:  Sun Oct 24 01:20:05 2010
>   Syscheck last ended   at:  Sun Oct 17 01:32:58 2010
>   Rootcheck last started at: Sun Oct 24 01:13:00 2010
>   Rootcheck last ended   at: Sun Oct 24 01:20:05 2010
>
>
> --Jeremy
>
>