It can take a while. I think syscheck (don't know about rootcheck) throttles itself so it doesn't eat up all of the IO/CPU on the system.
On Fri, Mar 12, 2010 at 8:10 AM, Devendra Agrawal <[email protected]> wrote: > I wanted to confirm if it is normal for ossec manager & agent to take about > 30-40 minutes to complelet all scans after it is restarted. Both manager and > agent are linux and only /etc, /usr/bin, /usr/sbin, /bin, /sbin directories > are getting checked > > Ossec Manager (ossec.log) > ---------------------------------------- > 2010/03/11 13:11:14 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2010/03/11 13:14:54 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2010/03/11 13:16:54 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2010/03/11 13:27:49 ossec-syscheckd: INFO: Ending syscheck scan (forwarding > database). > 2010/03/11 13:28:09 ossec-rootcheck: INFO: Starting rootcheck scan. > 2010/03/11 13:44:44 ossec-rootcheck: INFO: Ending rootcheck scan. > > > Ossec agent (ossec.log) > ----------------------------------- > 2010/03/11 09:12:11 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2010/03/11 09:12:11 ossec-syscheckd: INFO: Initializing real time file > monitoring (not started). > 2010/03/11 09:18:23 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2010/03/11 09:20:23 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2010/03/11 09:37:23 ossec-syscheckd: INFO: Ending syscheck scan (forwarding > database). > 2010/03/11 09:37:43 ossec-syscheckd: INFO: Starting real time file > monitoring. > 2010/03/11 09:37:43 ossec-rootcheck: INFO: Starting rootcheck scan. > 2010/03/11 10:05:15 ossec-rootcheck: INFO: Ending rootcheck scan.
