You are welcome. Yes, syscheck controls/scans are executed every 22 hours by default, meaning that syscheck binary will scan each file looking for modifications (checksum, groups, users, size), it will send back the update files DB and OSSEC Manager will compare previous version with the new scan (new syscheck as you name it :D), if there are modifications, in most cases, it will trigger and alert.
Anyway, syscheck processes are not replacing or rotating alerts.log file, ossec-monitord daemon is the one on charge of rotating alerts.log daily. Btw, remember that OSSEC keeps old logs stored at */var/ossec/logs/alerts/2016/Sep* > > > > > > > > > > > > > > > *root@ubuntu:/var/ossec/logs/alerts/2016/Sep# ls -lahtotal 152Kdrwxr-x--- > 2 ossec ossec 4,0K sep 7 00:29 .drwxr-x--- 4 ossec ossec 4,0K sep 1 11:35 > ..-rw-r----- 1 ossec ossec 2,0K sep 2 02:29 > ossec-alerts-01.json.gz-rw-r----- 1 ossec ossec 338 sep 2 02:29 > ossec-alerts-01.json.sum-rw-r----- 1 ossec ossec 1,9K sep 2 02:29 > ossec-alerts-01.log.gz-rw-r----- 1 ossec ossec 334 sep 2 02:29 > ossec-alerts-01.log.sum-rw-r----- 1 ossec ossec 72K sep 6 02:21 > ossec-alerts-02.json.gz-rw-r----- 1 ossec ossec 338 sep 6 02:21 > ossec-alerts-02.json.sum-rw-r----- 1 ossec ossec 2,1K sep 6 02:21 > ossec-alerts-02.log.gz-rw-r----- 1 ossec ossec 334 sep 6 02:21 > ossec-alerts-02.log.sum-rw-r----- 1 ossec ossec 16K sep 6 08:07 > ossec-alerts-06.json-rw-r----- 1 ossec ossec 17K sep 6 08:07 > ossec-alerts-06.log-rw-r----- 2 ossec ossec 1,1K sep 7 00:30 > ossec-alerts-07.json-rw-r----- 2 ossec ossec 730 sep 7 00:30 > ossec-alerts-07.log* Best regards, Pedro S. On Tue, Sep 6, 2016 at 12:57 PM, Daiyue Weng <daiyuew...@gmail.com> wrote: > okay, I see. thanks for the explanation. > > syscheck is done every 22 hours by default, so that is what I mean by "new > syscheck". > > cheers > > On 6 September 2016 at 10:22, Pedro Sanchez <pe...@wazuh.com> wrote: > >> Hi Daiyue, >> >> I don't really understand what you mean for "new syscheck" is replacing >> previous logs, please could you explain this in detail? >> >> Regarding to the rotation of alerts.log, we can't configure the log size, >> it is rotating daily no matter how much weights, it will rotate every day. >> If you open etc/internal_options.conf you will be able to enabled/disabled >> compression, but nothing related to log size. >> >> Best regards, >> >> Pedro S. >> >> On Tue, Sep 6, 2016 at 10:11 AM, Daiyue Weng <daiyuew...@gmail.com> >> wrote: >> >>> Hi, I found that alerts.log is rotating that previous logs were replaced >>> by new syschecks, so any way to configure ossec to record previous logs, >>> like increasing log size? >>> >>> cheers >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+unsubscr...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> >> --- >> You received this message because you are subscribed to a topic in the >> Google Groups "ossec-list" group. >> To unsubscribe from this topic, visit https://groups.google.com/d/to >> pic/ossec-list/RkBWz1U-wwg/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> ossec-list+unsubscr...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
