This tool allows you to query and get information from any agent you have configured on your server and it also allows you to restart (run now) the syscheck/rootcheck scan on any agent.

How it works? The first interesting command is “-lc”, to list the connected (active agents). To list all of them, use “-l” only.

Example 1: Listing all active agents:

# /var/ossec/bin/agent_control -lc
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: enigma.ossec.net (server), IP: 127.0.0.1, Active/Local
ID: 002, Name: winhome, IP: 192.168.2.190, Active
ID: 005, Name: jul, IP: 192.168.2.0/24, Active
ID: 165, Name: esqueleto2, IP: 192.168.2.99, Active
ID: 174, Name: lili3win, IP: 192.168.2.0/24, Active

To query an agent, just use the “-i” option followed by the agent id.

Example 2: Querying information from agent 002:

# /var/ossec/bin/agent_control -i 002

OSSEC HIDS agent_control. Agent information:
Agent ID: 002
Agent Name: winhome
IP address: 192.168.2.190
Status: Active

Operating system: Microsoft Windows XP Professional (Build 2600)
Client version: OSSEC HIDS v1.5-SNP-080412
Last keep alive: Fri Apr 25 14:33:03 2008

Syscheck last started at: Fri Apr 25 05:07:13 2008
Rootcheck last started at: Fri Apr 25 09:04:12 2008

To execute the syscheck/rootcheck scan immediately, use the “-r” option followed by the “-u” and the agent id.

Example 3: Executing syscheck and rootcheck scan immediately:

# /var/ossec/bin/agent_control -r -u 000

OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck locally.

For more information, just run it with the “-h” option:

# /var/ossec/bin/agent_control -h

OSSEC HIDS agent_control: Control remote agents.
Available options:
-h This help message.
-l List available (active or not) agents.
-lc List active agents.
-i Extracts information from an agent.
-r -a Runs the integrity/rootkit checking on all agents now.
-r -u Runs the integrity/rootkit checking on one agent now.

-s Changed the output to CSV (comma delimited).