>
> Thanks that helped a lot and definitely speed it up. We went from several
> hours to 4 minutes now. This includes our entire webapp
If syscheck sends too much events in a short period of time, it is possible
that they are lost due to UDP. So, don't use too low values.
Is there a way to
Thanks that helped a lot and definitely speed it up. We went from several
hours to 4 minutes now. This includes our entire webapp
Is there a way to speed up rootcheck? That is the longest part of the scan
that takes 15 minutes now, so the whole process takes approx 20 minutes now.
But I
Hi John,
there is a way to speed up syscheck. By default *syscheck sleeps 2 seconds
each 15 files*. This avoid packet loss due to UDP. You can overwrite this
configuration in *local_internal_options.conf*:
$ nano /var/ossec/etc/local_internal_options.conf
syscheck.sleep=1
Hi John
You cannot speed the syscheck, but you can always add the option *realtime*
for your more important folders, with this option you will have the alerts
in “real time” :)
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html?highlight=realtime
Regards
Thanks I did find it that did help,
I had two more questions not sure if I should start another thread:
I had frequency set on the agents to:
7200
I looked in the ossec.log and it never kicked off, and it has been 15 hours
since the last scan finished. I restarted the agent and it kicked off
Thanks but unfortunately all it shows is the following:
OSSEC HIDS agent_control. Agent information:
Agent ID: 1027
Agent Name: server1
IP address: any/any
Status: Active
Operating system:Linux 4.4.
Client version: OSSEC HIDS v2.8.3 /
Hi John,
I think it should appear in */var/ossec/bin/agent_control -i 1027. *Also,
you can review the ossec.conf of your agent.
Regards.
On Monday, June 5, 2017 at 6:24:14 PM UTC+2, John Kondur wrote:
>
> I just started to use ossec, and was doing some testing by making some
> changes in a