-l List available (active or not) agents. -lc List active agents. -i <id> Extracts information from an agent. -R <id> Restarts agent. -r -a Runs the integrity/rootkit checking on all agents now. -r -u <id> Runs the integrity/rootkit checking on one agent now. -b <ip> Blocks the specified ip address. -f <ar> Used with -b, specifies which response to run. -L List available active responses. -s Changes the output to CSV (comma delimited).
Agent ID: 002 Agent Name: v__.___.___.edu IP address: 128.###.###.142 Status: Active Operating system: Linux v_.__.__.edu 2.6.18-400.1.1.el5 #1 SMP .. Client version: OSSEC HIDS v2.7 Last keep alive: Sun Feb 7 20:15:05 2016 Syscheck last started at: Sun Feb 7 00:31:07 2016 Rootcheck last started at: Sun Feb 7 00:46:24 2016
database. -i <id> Prints database for the agent. -r Used with -i, prints all the resolved issues. -q Used with -i, prints all the outstanding issues. -L Used with -i, prints the last scan. -s Changes the output to CSV (comma delimited).
agent 'v__.__.___.edu (002) - 128.###.###.142': Resolved events: 2013 Jun 27 00:45:12 (first time detected: 2013 May 28 14:50:04) System Audit: System Audit: CIS - Testing against the CIS Red Hat Enterprise Linux 5 Benchmark v1.1. File: /etc/redhat-release. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL5 . 2013 Jun 27 00:45:12 (first time detected: 2013 May 28 14:50:04) System Audit: System Audit: CIS - RHEL5 4.4 - GUI login enabled. File: /etc/inittab. Reference: http://www.ossec.net/wiki/index.php/CIS_RHEL5 .
-i <id> List modified files for the agent. -r -i <id> List modified registry entries for the agent (Windows only). -f <file> Prints information about a modified file. -s Changes the output to CSV (comma delimited).
options: -f <filter> <value> Filter the results. -r <filter> <value> Show related entries. -n Creates a description for the report. -s Show the alert dump. Filters allowed: group, rule, level, location, user, srcip, filename Examples: -f group authentication_success (to filter on login success). -f level 10 (to filter on level >= 10). -f group authentication -r user srcip (to show the srcip for all users).