I have a couple of agents showing this behavior. I'm not sure if the manager missed the message from the agent, or what.
On Thu, Oct 28, 2010 at 2:53 PM, Jeremy Lee <jpl...@gmail.com> wrote: > Anybody else seeing this? > > On Wed, Oct 27, 2010 at 11:10 AM, jplee3 <jpl...@gmail.com> wrote: >> >> Hey all, >> >> I seem to be having issues with agent_control with the -e flag >> producing accurate reports. It seems the Syscheck last ended time is >> always off: >> >> Syscheck last started at: Wed Oct 27 01:17:08 2010 >> Syscheck last ended at: Tue Oct 26 02:35:01 2010 >> Rootcheck last started at: Wed Oct 27 01:10:01 2010 >> Rootcheck last ended at: Wed Oct 27 01:17:08 2010 >> >> >> When I check the logs I see this: >> >> 2010/10/26 01:14:50 ossec-rootcheck: INFO: Starting rootcheck scan. >> 2010/10/26 01:21:48 ossec-rootcheck: INFO: Ending rootcheck scan. >> 2010/10/26 01:21:48 ossec-syscheckd: INFO: Starting syscheck scan. >> 2010/10/26 02:35:01 ossec-syscheckd: INFO: Ending syscheck scan. >> >> 2010/10/27 01:10:01 ossec-rootcheck: INFO: Starting rootcheck scan. >> 2010/10/27 01:17:08 ossec-rootcheck: INFO: Ending rootcheck scan. >> 2010/10/27 01:17:08 ossec-syscheckd: INFO: Starting syscheck scan. >> 2010/10/27 02:30:47 ossec-syscheckd: INFO: Ending syscheck scan. >> >> >> So it seems like it's not properly getting the latest "Ending syscheck >> scan" for some reason. >> >> The exact command I am running is "agent_control -i 001 -e" >> This occurs for most of my agents. A few seem to be OK but there are >> also a few that seem to be stuck reading ended Syschecks from over a >> week ago! >> >> >> Syscheck last started at: Sun Oct 24 01:20:05 2010 >> Syscheck last ended at: Sun Oct 17 01:32:58 2010 >> Rootcheck last started at: Sun Oct 24 01:13:00 2010 >> Rootcheck last ended at: Sun Oct 24 01:20:05 2010 >> >> >> --Jeremy >> > >
