-
Notifications
You must be signed in to change notification settings - Fork 35
/
fim-state-summary
33 lines (31 loc) · 1.23 KB
/
fim-state-summary
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!/bin/bash
#
# fim-state-summary
# by Kevin Branch (@BlueWolfNinja)
# Branch Network Consulting, LLC
#
# Run as root on each individual Wazuh manager to dump a summary of FIM state for all agents and managers, including count of monitored files, monitored registry objects, and byte count used in FIM state db.
# Generic output requires no parameters.
# For CSV output format, call it like this:
# fim-state-summary csv
#
for DB in `ls -1 /var/ossec/queue/db/???.db`; do
ID=`echo $DB | sed 's/[^0-9]*\([0-9]\+\)\.db/\1/'`
if [[ "$ID" == "000" ]]; then
N=`hostname`
else
N=`grep "^$ID " /var/ossec/etc/client.keys | awk '{print $2}'`
fi
FC=`sqlite3 $DB "select count(*) from fim_entry where type == 'file';"`
RC=`sqlite3 $DB "select count(*) from fim_entry where type like 'registry%';"`
B=`sqlite3 $DB "SELECT SUM("pgsize") FROM "dbstat" WHERE name='fim_entry';"`
if [[ "$1" == "csv" ]]; then
echo $ID,$N,$FC,$RC,$B
else
echo $N - $ID
echo $FC files monitored
echo $RC registry entries monitored
echo $B bytes consumed by FIM state
echo ""
fi
done