Re: [ossec-list] Re: How to know when syscheck agent finishes a scan?

[Jesus Linares]

>
> Thanks that helped a lot and definitely speed it up.  We went from several 
> hours to 4 minutes now.  This includes our entire webapp

If syscheck sends too much events in a short period of time, it is possible 
that they are lost due to UDP. So, don't use too low values.

Is there a way to speed up rootcheck?  That is the longest part of the scan 
> that takes 15 minutes now, so the whole process takes approx 20 minutes now.

Rootcheck does a lot of things (documentation 
).
 
You can enable only what you want:

   - check_dev
   - check_files
   - check_if
   - check_pids
   - check_policy
   - check_ports
   - check_sys
   - check_trojans
   - check_unixaudit
   - check_winapps
   - check_winapps
   - check_winmalware
   
The main reason is anytime we deploy I want to follow what is in the doc, 
> stop ossec on manager, then clear database and run a new baseline, but 
> trying to speed up the process.  If there is a way to disable rootcheck 
> when I do that command?  I need to do that becuase otherwise I will get 
> tons of emails every time we do a deploy.

If you want to disable rootcheck remotely in an agent, you can use the 
agent.conf 

.

Regards.


On Wednesday, June 7, 2017 at 8:13:24 PM UTC+2, John Kondur wrote:
>
> Thanks that helped a lot and definitely speed it up.  We went from several 
> hours to 4 minutes now.  This includes our entire webapp
>
>
> Is there a way to speed up rootcheck?  That is the longest part of the 
> scan that takes 15 minutes now, so the whole process takes approx 20 
> minutes now.
>
> But I would like to either disable root check when you send for example 
> the following command:
>
>  /var/ossec/bin/agent_control -r -u 1027
>
>
> The main reason is anytime we deploy I want to follow what is in the doc, 
> stop ossec on manager, then clear database and run a new baseline, but 
> trying to speed up the process.  If there is a way to disable rootcheck 
> when I do that command?  I need to do that becuase otherwise I will get 
> tons of emails every time we do a deploy.
>
> Thanks
>
>
> On Wednesday, June 7, 2017 at 11:36:13 AM UTC-4, Jesus Linares wrote:
>>
>> Hi John,
>>
>> there is a way to speed up syscheck. By default *syscheck sleeps 2 
>> seconds each 15 files*. This avoid packet loss due to UDP. You can 
>> overwrite this configuration in *local_internal_options.conf*:
>>
>> $ nano /var/ossec/etc/local_internal_options.conf
>>
>> syscheck.sleep=1
>> syscheck.sleep_after=150
>>
>>
>> This is 20 times faster than the default configuration. I would not 
>> increase these values more than 1 - 150.
>>
>> How many files are you scanning?. Remember that syscheck is only for 
>> important files.
>>
>> In *ossec.log *you should see something like:
>>
>> 2017/06/07 14:21:51 ossec-syscheckd: INFO: Starting syscheck scan
>> ...
>> 2017/06/07 14:27:19 ossec-syscheckd: INFO: Ending syscheck scan
>>
>>
>> I hope it helps.
>> Regards.
>>
>>
>> On Wednesday, June 7, 2017 at 4:54:07 PM UTC+2, jose wrote:
>>>
>>> Hi John
>>>
>>> You cannot speed the syscheck, but you can always add the option 
>>> *realtime* for your more important folders, with this option you will 
>>> have the alerts in “real time” :)
>>>
>>>
>>> https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html?highlight=realtime
>>>
>>>
>>> Regards
>>> ---
>>> Jose Luis Ruiz
>>> Wazuh Inc.
>>> jo...@wazuh.com
>>>
>>> On June 7, 2017 at 10:15:19 AM, John Kondur (kongf...@gmail.com) wrote:
>>>
>>> Thanks I did find it that did help, 
>>>
>>> I had two more questions not sure if I should start another thread:
>>>
>>> I had frequency set on the agents to:
>>>
>>> 7200
>>>
>>> I looked in the ossec.log and it never kicked off, and it has been 15 
>>> hours since the last scan finished.  I restarted the agent and it kicked 
>>> off but any idea what might not start it?  
>>>
>>>
>>>
>>> Second question:
>>>
>>> The scans seem to take a very long time, I ran it and it takes 4 hours 
>>> on one of my web servers.  Is it the size of the files or the number of 
>>> files that determines the scan and is there anyway to speed it up?  
>>>
>>>
>>> Thanks
>>>
>>>
>>>
>>> On Wednesday, June 7, 2017 at 5:21:01 AM UTC-4, Jesus Linares wrote: 

 Review the ossec.conf of the agent 1027. You should see a log for 
 starting/ending rootcheck and syscheck. 

 I hope it helps.

 On Tuesday, June 6, 2017 at 9:17:11 PM UTC+2, John Kondur wrote: 
>
> Thanks but unfortunately all it shows is the following: 
>
>
> OSSEC HIDS agent_control. Agent information:
>Agent ID:   1027
>Agent Name: server1
>IP address: any/any
>Status: Active
>
>Operating system:Linux 4.4.
>Client version:  OSSEC HIDS v2.8.3 

Re: [ossec-list] Re: How to know when syscheck agent finishes a scan?

[John Kondur]

Thanks that helped a lot and definitely speed it up.  We went from several 
hours to 4 minutes now.  This includes our entire webapp


Is there a way to speed up rootcheck?  That is the longest part of the scan 
that takes 15 minutes now, so the whole process takes approx 20 minutes now.

But I would like to either disable root check when you send for example the 
following command:

 /var/ossec/bin/agent_control -r -u 1027


The main reason is anytime we deploy I want to follow what is in the doc, 
stop ossec on manager, then clear database and run a new baseline, but 
trying to speed up the process.  If there is a way to disable rootcheck 
when I do that command?  I need to do that becuase otherwise I will get 
tons of emails every time we do a deploy.

Thanks


On Wednesday, June 7, 2017 at 11:36:13 AM UTC-4, Jesus Linares wrote:
>
> Hi John,
>
> there is a way to speed up syscheck. By default *syscheck sleeps 2 
> seconds each 15 files*. This avoid packet loss due to UDP. You can 
> overwrite this configuration in *local_internal_options.conf*:
>
> $ nano /var/ossec/etc/local_internal_options.conf
>
> syscheck.sleep=1
> syscheck.sleep_after=150
>
>
> This is 20 times faster than the default configuration. I would not 
> increase these values more than 1 - 150.
>
> How many files are you scanning?. Remember that syscheck is only for 
> important files.
>
> In *ossec.log *you should see something like:
>
> 2017/06/07 14:21:51 ossec-syscheckd: INFO: Starting syscheck scan
> ...
> 2017/06/07 14:27:19 ossec-syscheckd: INFO: Ending syscheck scan
>
>
> I hope it helps.
> Regards.
>
>
> On Wednesday, June 7, 2017 at 4:54:07 PM UTC+2, jose wrote:
>>
>> Hi John
>>
>> You cannot speed the syscheck, but you can always add the option 
>> *realtime* for your more important folders, with this option you will 
>> have the alerts in “real time” :)
>>
>>
>> https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html?highlight=realtime
>>
>>
>> Regards
>> ---
>> Jose Luis Ruiz
>> Wazuh Inc.
>> jo...@wazuh.com
>>
>> On June 7, 2017 at 10:15:19 AM, John Kondur (kongf...@gmail.com) wrote:
>>
>> Thanks I did find it that did help, 
>>
>> I had two more questions not sure if I should start another thread:
>>
>> I had frequency set on the agents to:
>>
>> 7200
>>
>> I looked in the ossec.log and it never kicked off, and it has been 15 
>> hours since the last scan finished.  I restarted the agent and it kicked 
>> off but any idea what might not start it?  
>>
>>
>>
>> Second question:
>>
>> The scans seem to take a very long time, I ran it and it takes 4 hours on 
>> one of my web servers.  Is it the size of the files or the number of files 
>> that determines the scan and is there anyway to speed it up?  
>>
>>
>> Thanks
>>
>>
>>
>> On Wednesday, June 7, 2017 at 5:21:01 AM UTC-4, Jesus Linares wrote: 
>>>
>>> Review the ossec.conf of the agent 1027. You should see a log for 
>>> starting/ending rootcheck and syscheck. 
>>>
>>> I hope it helps.
>>>
>>> On Tuesday, June 6, 2017 at 9:17:11 PM UTC+2, John Kondur wrote: 

 Thanks but unfortunately all it shows is the following: 


 OSSEC HIDS agent_control. Agent information:
Agent ID:   1027
Agent Name: server1
IP address: any/any
Status: Active

Operating system:Linux 4.4.
Client version:  OSSEC HIDS v2.8.3 / 
 6322ee12ea9a05951f97923a8341a01a
Last keep alive: Tue Jun  6 19:10:59 2017

Syscheck last started  at: Tue Jun  6 18:19:23 2017
Rootcheck last started at: Tue Jun  6 18:41:54 2017

  
 It just shows last started, but never shows when it completes.


 On Tuesday, June 6, 2017 at 4:42:52 AM UTC-4, Jesus Linares wrote: 
>
> Hi John, 
>
> I think it should appear in */var/ossec/bin/agent_control -i 1027.* 
> Also, you can review the ossec.conf of your agent.
>
> Regards.
>
> On Monday, June 5, 2017 at 6:24:14 PM UTC+2, John Kondur wrote: 
>>
>> I just started to use ossec, and was doing some testing by making 
>> some changes in a file in a directory, and then I run from the server: 
>>
>>
>> /var/ossec/bin/agent_control -r -a
>>
>>
>> if I do a query on the agent:
>>
>>
>>
>> /var/ossec/bin/agent_control -i 1027
>>
>>
>>
>> It will show last time it started but never shows when it completes?  
>> Is there a process or way to check to see if it completed or am I not 
>> waiting long enough?  So far I am not seeing ossec pick up that the file 
>> changes.
>>
>> Thanks
>>
> --
>>
>> ---
>> You received this message because you are subscribed to the Google Groups 
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to ossec-list+...@googlegroups.com.
>> For more options, visit 

Re: [ossec-list] Re: How to know when syscheck agent finishes a scan?

[Jesus Linares]

Hi John,

there is a way to speed up syscheck. By default *syscheck sleeps 2 seconds 
each 15 files*. This avoid packet loss due to UDP. You can overwrite this 
configuration in *local_internal_options.conf*:

$ nano /var/ossec/etc/local_internal_options.conf

syscheck.sleep=1
syscheck.sleep_after=150


This is 20 times faster than the default configuration. I would not 
increase these values more than 1 - 150.

How many files are you scanning?. Remember that syscheck is only for 
important files.

In *ossec.log *you should see something like:

2017/06/07 14:21:51 ossec-syscheckd: INFO: Starting syscheck scan
...
2017/06/07 14:27:19 ossec-syscheckd: INFO: Ending syscheck scan


I hope it helps.
Regards.


On Wednesday, June 7, 2017 at 4:54:07 PM UTC+2, jose wrote:
>
> Hi John
>
> You cannot speed the syscheck, but you can always add the option 
> *realtime* for your more important folders, with this option you will 
> have the alerts in “real time” :)
>
>
> https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html?highlight=realtime
>
>
> Regards
> ---
> Jose Luis Ruiz
> Wazuh Inc.
> jo...@wazuh.com 
>
> On June 7, 2017 at 10:15:19 AM, John Kondur (kongf...@gmail.com 
> ) wrote:
>
> Thanks I did find it that did help, 
>
> I had two more questions not sure if I should start another thread:
>
> I had frequency set on the agents to:
>
> 7200
>
> I looked in the ossec.log and it never kicked off, and it has been 15 
> hours since the last scan finished.  I restarted the agent and it kicked 
> off but any idea what might not start it?  
>
>
>
> Second question:
>
> The scans seem to take a very long time, I ran it and it takes 4 hours on 
> one of my web servers.  Is it the size of the files or the number of files 
> that determines the scan and is there anyway to speed it up?  
>
>
> Thanks
>
>
>
> On Wednesday, June 7, 2017 at 5:21:01 AM UTC-4, Jesus Linares wrote: 
>>
>> Review the ossec.conf of the agent 1027. You should see a log for 
>> starting/ending rootcheck and syscheck. 
>>
>> I hope it helps.
>>
>> On Tuesday, June 6, 2017 at 9:17:11 PM UTC+2, John Kondur wrote: 
>>>
>>> Thanks but unfortunately all it shows is the following: 
>>>
>>>
>>> OSSEC HIDS agent_control. Agent information:
>>>Agent ID:   1027
>>>Agent Name: server1
>>>IP address: any/any
>>>Status: Active
>>>
>>>Operating system:Linux 4.4.
>>>Client version:  OSSEC HIDS v2.8.3 / 
>>> 6322ee12ea9a05951f97923a8341a01a
>>>Last keep alive: Tue Jun  6 19:10:59 2017
>>>
>>>Syscheck last started  at: Tue Jun  6 18:19:23 2017
>>>Rootcheck last started at: Tue Jun  6 18:41:54 2017
>>>
>>>  
>>> It just shows last started, but never shows when it completes.
>>>
>>>
>>> On Tuesday, June 6, 2017 at 4:42:52 AM UTC-4, Jesus Linares wrote: 

 Hi John, 

 I think it should appear in */var/ossec/bin/agent_control -i 1027.* 
 Also, you can review the ossec.conf of your agent.

 Regards.

 On Monday, June 5, 2017 at 6:24:14 PM UTC+2, John Kondur wrote: 
>
> I just started to use ossec, and was doing some testing by making some 
> changes in a file in a directory, and then I run from the server: 
>
>
> /var/ossec/bin/agent_control -r -a
>
>
> if I do a query on the agent:
>
>
>
> /var/ossec/bin/agent_control -i 1027
>
>
>
> It will show last time it started but never shows when it completes?  
> Is there a process or way to check to see if it completed or am I not 
> waiting long enough?  So far I am not seeing ossec pick up that the file 
> changes.
>
> Thanks
>
 --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+...@googlegroups.com .
> For more options, visit https://groups.google.com/d/optout.
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: How to know when syscheck agent finishes a scan?

[Jose Luis Ruiz]

Hi John

You cannot speed the syscheck, but you can always add the option *realtime*
for your more important folders, with this option you will have the alerts
in “real time” :)

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html?highlight=realtime


Regards
---
Jose Luis Ruiz
Wazuh Inc.
j...@wazuh.com

On June 7, 2017 at 10:15:19 AM, John Kondur (kongfra...@gmail.com) wrote:

Thanks I did find it that did help,

I had two more questions not sure if I should start another thread:

I had frequency set on the agents to:

7200

I looked in the ossec.log and it never kicked off, and it has been 15 hours
since the last scan finished.  I restarted the agent and it kicked off but
any idea what might not start it?



Second question:

The scans seem to take a very long time, I ran it and it takes 4 hours on
one of my web servers.  Is it the size of the files or the number of files
that determines the scan and is there anyway to speed it up?


Thanks



On Wednesday, June 7, 2017 at 5:21:01 AM UTC-4, Jesus Linares wrote:
>
> Review the ossec.conf of the agent 1027. You should see a log for
> starting/ending rootcheck and syscheck.
>
> I hope it helps.
>
> On Tuesday, June 6, 2017 at 9:17:11 PM UTC+2, John Kondur wrote:
>>
>> Thanks but unfortunately all it shows is the following:
>>
>>
>> OSSEC HIDS agent_control. Agent information:
>>Agent ID:   1027
>>Agent Name: server1
>>IP address: any/any
>>Status: Active
>>
>>Operating system:Linux 4.4.
>>Client version:  OSSEC HIDS v2.8.3 / 6322ee12ea9a05951f97923a8341a0
>> 1a
>>Last keep alive: Tue Jun  6 19:10:59 2017
>>
>>Syscheck last started  at: Tue Jun  6 18:19:23 2017
>>Rootcheck last started at: Tue Jun  6 18:41:54 2017
>>
>>
>> It just shows last started, but never shows when it completes.
>>
>>
>> On Tuesday, June 6, 2017 at 4:42:52 AM UTC-4, Jesus Linares wrote:
>>>
>>> Hi John,
>>>
>>> I think it should appear in */var/ossec/bin/agent_control -i 1027.*
>>> Also, you can review the ossec.conf of your agent.
>>>
>>> Regards.
>>>
>>> On Monday, June 5, 2017 at 6:24:14 PM UTC+2, John Kondur wrote:

 I just started to use ossec, and was doing some testing by making some
 changes in a file in a directory, and then I run from the server:


 /var/ossec/bin/agent_control -r -a


 if I do a query on the agent:



 /var/ossec/bin/agent_control -i 1027



 It will show last time it started but never shows when it completes?
 Is there a process or way to check to see if it completed or am I not
 waiting long enough?  So far I am not seeing ossec pick up that the file
 changes.

 Thanks

>>> --

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: How to know when syscheck agent finishes a scan?

[John Kondur]

Thanks I did find it that did help,

I had two more questions not sure if I should start another thread:

I had frequency set on the agents to:

7200

I looked in the ossec.log and it never kicked off, and it has been 15 hours 
since the last scan finished.  I restarted the agent and it kicked off but 
any idea what might not start it?  



Second question:

The scans seem to take a very long time, I ran it and it takes 4 hours on 
one of my web servers.  Is it the size of the files or the number of files 
that determines the scan and is there anyway to speed it up?  


Thanks



On Wednesday, June 7, 2017 at 5:21:01 AM UTC-4, Jesus Linares wrote:
>
> Review the ossec.conf of the agent 1027. You should see a log for 
> starting/ending rootcheck and syscheck.
>
> I hope it helps.
>
> On Tuesday, June 6, 2017 at 9:17:11 PM UTC+2, John Kondur wrote:
>>
>> Thanks but unfortunately all it shows is the following:
>>
>>
>> OSSEC HIDS agent_control. Agent information:
>>Agent ID:   1027
>>Agent Name: server1
>>IP address: any/any
>>Status: Active
>>
>>Operating system:Linux 4.4.
>>Client version:  OSSEC HIDS v2.8.3 / 
>> 6322ee12ea9a05951f97923a8341a01a
>>Last keep alive: Tue Jun  6 19:10:59 2017
>>
>>Syscheck last started  at: Tue Jun  6 18:19:23 2017
>>Rootcheck last started at: Tue Jun  6 18:41:54 2017
>>
>>  
>> It just shows last started, but never shows when it completes.
>>
>>
>> On Tuesday, June 6, 2017 at 4:42:52 AM UTC-4, Jesus Linares wrote:
>>>
>>> Hi John,
>>>
>>> I think it should appear in */var/ossec/bin/agent_control -i 1027. *Also, 
>>> you can review the ossec.conf of your agent.
>>>
>>> Regards.
>>>
>>> On Monday, June 5, 2017 at 6:24:14 PM UTC+2, John Kondur wrote:

 I just started to use ossec, and was doing some testing by making some 
 changes in a file in a directory, and then I run from the server:


 /var/ossec/bin/agent_control -r -a


 if I do a query on the agent:



 /var/ossec/bin/agent_control -i 1027



 It will show last time it started but never shows when it completes? 
  Is there a process or way to check to see if it completed or am I not 
 waiting long enough?  So far I am not seeing ossec pick up that the file 
 changes.

 Thanks

>>>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: How to know when syscheck agent finishes a scan?

[John Kondur]

Thanks but unfortunately all it shows is the following:


OSSEC HIDS agent_control. Agent information:
   Agent ID:   1027
   Agent Name: server1
   IP address: any/any
   Status: Active

   Operating system:Linux 4.4.
   Client version:  OSSEC HIDS v2.8.3 / 6322ee12ea9a05951f97923a8341a01a
   Last keep alive: Tue Jun  6 19:10:59 2017

   Syscheck last started  at: Tue Jun  6 18:19:23 2017
   Rootcheck last started at: Tue Jun  6 18:41:54 2017

 
It just shows last started, but never shows when it completes.


On Tuesday, June 6, 2017 at 4:42:52 AM UTC-4, Jesus Linares wrote:
>
> Hi John,
>
> I think it should appear in */var/ossec/bin/agent_control -i 1027. *Also, 
> you can review the ossec.conf of your agent.
>
> Regards.
>
> On Monday, June 5, 2017 at 6:24:14 PM UTC+2, John Kondur wrote:
>>
>> I just started to use ossec, and was doing some testing by making some 
>> changes in a file in a directory, and then I run from the server:
>>
>>
>> /var/ossec/bin/agent_control -r -a
>>
>>
>> if I do a query on the agent:
>>
>>
>>
>> /var/ossec/bin/agent_control -i 1027
>>
>>
>>
>> It will show last time it started but never shows when it completes?  Is 
>> there a process or way to check to see if it completed or am I not waiting 
>> long enough?  So far I am not seeing ossec pick up that the file changes.
>>
>> Thanks
>>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: How to know when syscheck agent finishes a scan?

[Jesus Linares]

Hi John,

I think it should appear in */var/ossec/bin/agent_control -i 1027. *Also, 
you can review the ossec.conf of your agent.

Regards.

On Monday, June 5, 2017 at 6:24:14 PM UTC+2, John Kondur wrote:
>
> I just started to use ossec, and was doing some testing by making some 
> changes in a file in a directory, and then I run from the server:
>
>
> /var/ossec/bin/agent_control -r -a
>
>
> if I do a query on the agent:
>
>
>
> /var/ossec/bin/agent_control -i 1027
>
>
>
> It will show last time it started but never shows when it completes?  Is 
> there a process or way to check to see if it completed or am I not waiting 
> long enough?  So far I am not seeing ossec pick up that the file changes.
>
> Thanks
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.