> > Thanks that helped a lot and definitely speed it up. We went from several > hours to 4 minutes now. This includes our entire webapp
If syscheck sends too much events in a short period of time, it is possible that they are lost due to UDP. So, don't use too low values. Is there a way to speed up rootcheck? That is the longest part of the scan > that takes 15 minutes now, so the whole process takes approx 20 minutes now. Rootcheck does a lot of things (documentation <https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/rootcheck.html>). You can enable only what you want: - check_dev - check_files - check_if - check_pids - check_policy - check_ports - check_sys - check_trojans - check_unixaudit - check_winapps - check_winapps - check_winmalware The main reason is anytime we deploy I want to follow what is in the doc, > stop ossec on manager, then clear database and run a new baseline, but > trying to speed up the process. If there is a way to disable rootcheck > when I do that command? I need to do that becuase otherwise I will get > tons of emails every time we do a deploy. If you want to disable rootcheck remotely in an agent, you can use the agent.conf <https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html> . Regards. On Wednesday, June 7, 2017 at 8:13:24 PM UTC+2, John Kondur wrote: > > Thanks that helped a lot and definitely speed it up. We went from several > hours to 4 minutes now. This includes our entire webapp > > > Is there a way to speed up rootcheck? That is the longest part of the > scan that takes 15 minutes now, so the whole process takes approx 20 > minutes now. > > But I would like to either disable root check when you send for example > the following command: > > /var/ossec/bin/agent_control -r -u 1027 > > > The main reason is anytime we deploy I want to follow what is in the doc, > stop ossec on manager, then clear database and run a new baseline, but > trying to speed up the process. If there is a way to disable rootcheck > when I do that command? I need to do that becuase otherwise I will get > tons of emails every time we do a deploy. > > Thanks > > > On Wednesday, June 7, 2017 at 11:36:13 AM UTC-4, Jesus Linares wrote: >> >> Hi John, >> >> there is a way to speed up syscheck. By default *syscheck sleeps 2 >> seconds each 15 files*. This avoid packet loss due to UDP. You can >> overwrite this configuration in *local_internal_options.conf*: >> >> $ nano /var/ossec/etc/local_internal_options.conf >> >> syscheck.sleep=1 >> syscheck.sleep_after=150 >> >> >> This is 20 times faster than the default configuration. I would not >> increase these values more than 1 - 150. >> >> How many files are you scanning?. Remember that syscheck is only for >> important files. >> >> In *ossec.log *you should see something like: >> >> 2017/06/07 14:21:51 ossec-syscheckd: INFO: Starting syscheck scan >> ... >> 2017/06/07 14:27:19 ossec-syscheckd: INFO: Ending syscheck scan >> >> >> I hope it helps. >> Regards. >> >> >> On Wednesday, June 7, 2017 at 4:54:07 PM UTC+2, jose wrote: >>> >>> Hi John >>> >>> You cannot speed the syscheck, but you can always add the option >>> *realtime* for your more important folders, with this option you will >>> have the alerts in “real time” :) >>> >>> >>> https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html?highlight=realtime >>> >>> >>> Regards >>> ----------------------- >>> Jose Luis Ruiz >>> Wazuh Inc. >>> jo...@wazuh.com >>> >>> On June 7, 2017 at 10:15:19 AM, John Kondur (kongf...@gmail.com) wrote: >>> >>> Thanks I did find it that did help, >>> >>> I had two more questions not sure if I should start another thread: >>> >>> I had frequency set on the agents to: >>> >>> <frequency>7200</frequency> >>> >>> I looked in the ossec.log and it never kicked off, and it has been 15 >>> hours since the last scan finished. I restarted the agent and it kicked >>> off but any idea what might not start it? >>> >>> >>> >>> Second question: >>> >>> The scans seem to take a very long time, I ran it and it takes 4 hours >>> on one of my web servers. Is it the size of the files or the number of >>> files that determines the scan and is there anyway to speed it up? >>> >>> >>> Thanks >>> >>> >>> >>> On Wednesday, June 7, 2017 at 5:21:01 AM UTC-4, Jesus Linares wrote: >>>> >>>> Review the ossec.conf of the agent 1027. You should see a log for >>>> starting/ending rootcheck and syscheck. >>>> >>>> I hope it helps. >>>> >>>> On Tuesday, June 6, 2017 at 9:17:11 PM UTC+2, John Kondur wrote: >>>>> >>>>> Thanks but unfortunately all it shows is the following: >>>>> >>>>> >>>>> OSSEC HIDS agent_control. Agent information: >>>>> Agent ID: 1027 >>>>> Agent Name: server1 >>>>> IP address: any/any >>>>> Status: Active >>>>> >>>>> Operating system: Linux 4.4. >>>>> Client version: OSSEC HIDS v2.8.3 / >>>>> 6322ee12ea9a05951f97923a8341a01a >>>>> Last keep alive: Tue Jun 6 19:10:59 2017 >>>>> >>>>> Syscheck last started at: Tue Jun 6 18:19:23 2017 >>>>> Rootcheck last started at: Tue Jun 6 18:41:54 2017 >>>>> >>>>> >>>>> It just shows last started, but never shows when it completes. >>>>> >>>>> >>>>> On Tuesday, June 6, 2017 at 4:42:52 AM UTC-4, Jesus Linares wrote: >>>>>> >>>>>> Hi John, >>>>>> >>>>>> I think it should appear in */var/ossec/bin/agent_control -i 1027.* >>>>>> Also, you can review the ossec.conf of your agent. >>>>>> >>>>>> Regards. >>>>>> >>>>>> On Monday, June 5, 2017 at 6:24:14 PM UTC+2, John Kondur wrote: >>>>>>> >>>>>>> I just started to use ossec, and was doing some testing by making >>>>>>> some changes in a file in a directory, and then I run from the server: >>>>>>> >>>>>>> >>>>>>> /var/ossec/bin/agent_control -r -a >>>>>>> >>>>>>> >>>>>>> if I do a query on the agent: >>>>>>> >>>>>>> >>>>>>> >>>>>>> /var/ossec/bin/agent_control -i 1027 >>>>>>> >>>>>>> >>>>>>> >>>>>>> It will show last time it started but never shows when it >>>>>>> completes? Is there a process or way to check to see if it completed >>>>>>> or am >>>>>>> I not waiting long enough? So far I am not seeing ossec pick up that >>>>>>> the >>>>>>> file changes. >>>>>>> >>>>>>> Thanks >>>>>>> >>>>>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to ossec-list+...@googlegroups.com. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
