The agent_control tool allows you to query and get information from any agent you have configured on your server and it also allows you to restart (run now) the syscheck/rootcheck scan on any agent.
Enabling active response will be necessary to start scans remotely and possibly other functions.
-h
¶Display the help message
-l
¶List available (active or not) agents
-lc
¶List active agents
-i
<agent_id>
¶Extracts information from an agent
-R
<agent_id>
¶Restarts the OSSEC processes on the agent
Note
Requires active response to be enabled.
-r
¶Run the integrity/rootcheck checking on agents. Must be utilized
with agent_control -a
or agent_control -u
Note
Requires active response to be enabled.
-a
¶Utilizes all agents.
-u
<agent_id>
¶<agent_id> that will perform the requested action.
The first interesting argument is agent_control -lc
, to list the connected (active agents). To list
all of them, use agent_control -l
only.
# /var/ossec/bin/agent_control -lc
OSSEC HIDS agent_control. List of available agents:
ID: 000, Name: enigma.ossec.net (server), IP: 127.0.0.1, Active/Local
ID: 002, Name: winhome, IP: 192.168.2.190, Active
ID: 005, Name: jul, IP: 192.168.2.0/24, Active
ID: 165, Name: esqueleto2, IP: 192.168.2.99, Active
ID: 174, Name: lili3win, IP: 192.168.2.0/24, Active
To query an agent, just use the agent_control -i
option followed by the agent id.
# /var/ossec/bin/agent_control -i 002
OSSEC HIDS agent_control. Agent information:
Agent ID: 002
Agent Name: winhome
IP address: 192.168.2.190
Status: Active
Operating system: Microsoft Windows XP Professional (Build 2600)
Client version: OSSEC HIDS v1.5-SNP-080412
Last keep alive: Fri Apr 25 14:33:03 2008
Syscheck last started at: Fri Apr 25 05:07:13 2008
Rootcheck last started at: Fri Apr 25 09:04:12 2008
To execute the syscheck/rootcheck scan immediately, use the agent_control -r
option followed by the agent_control -u
with the agent id.
# /var/ossec/bin/agent_control -r -u 000
OSSEC HIDS agent_control: Restarting Syscheck/Rootcheck locally.