Thanks Victor. Quick fix to your useful command, it is missing queue folder:
$ find /var/ossec/queue/agent-info/* -mtime +60 -ls On Tue, Aug 2, 2016 at 11:37 AM, Victor Fernandez <vic...@wazuh.com> wrote: > Hi Derek. > > You can do that by watching the modification time (with ls or stat) of > the agent's information file at /var/ossec/queue/agent-info. For example, > if the agent name is "myagent" and the IP is "1.2.3.4", the file will be " > /var/ossec/queue/agent-info/myagent-1.2.3.4". > > When an agent sends a keep-alive message (every 10 minutes), its > corresponding file gets updated. In fact, the agent-control utility reads > internally the modification time of those files in order to know whether > agents are connected or disconnected. If it's been more than half hour > since the last update time, OSSEC assumes that the agent is disconnected. > > This is an example to list the agents that have not connected since 2 > months (60 days): > > $ find /var/ossec/agent-info/* -mtime +60 -ls > > Kind regards. > > > On Tuesday, August 2, 2016 at 10:52:05 AM UTC-7, Derek Day wrote: >> >> Is there a simple way to show the last time an agent connected to the >> server? I'm looking for a way to identify agents that haven't been used for >> say 2 months. >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
