In my observations, it appears that reducing frequency to 0 made syscheck/rootcheck attempt to run even more often. Syscheck would end and then immediately start up again within seconds.
On Sep 30, 9:31 am, Jeremy Lee <[email protected]> wrote: > Aha. I didn't even think of that! I will set to 0 and hopefully things will > work out. One thing to note: it seems that frequency, scan_time, and > scan_day are options that are not working in agent.conf > > On Thu, Sep 30, 2010 at 9:19 AM, dan (ddp) <[email protected]> wrote: > > It looks like 600 is the default based on these snippets of code: > > #define SYSCHECK_WAIT 300 > > > syscheck.time = SYSCHECK_WAIT * 2; > > > Setting <frequency>0</frequency> stopped syscheck from running on my > > systems. > > > On Thu, Sep 30, 2010 at 10:29 AM, jplee3 <[email protected]> wrote: > > > I think I may have figured out a 'hackish' solution. I went ahead and > > > set frequency to 31536000 (1 year...haha). As far as scan_on_start, I > > > believe it does work - it seems OSSEC defaults to 10 minutes or 600 > > > seconds if frequency or scan_time are not specified. Is this intended > > > behavior? > > > > On Sep 30, 6:16 am, jplee3 <[email protected]> wrote: > > >> Here is what I see, and I think this across all my servers with this > > >> config: > > > >> 2010/09/30 07:52:32 ossec-syscheckd: INFO: Starting syscheck scan. > > >> 2010/09/30 08:02:45 ossec-syscheckd: INFO: Ending syscheck scan. > > >> 2010/09/30 08:17:45 ossec-syscheckd: INFO: Starting syscheck scan. > > >> 2010/09/30 08:27:58 ossec-syscheckd: INFO: Ending syscheck scan. > > >> 2010/09/30 08:42:58 ossec-syscheckd: INFO: Starting syscheck scan. > > >> 2010/09/30 08:53:11 ossec-syscheckd: INFO: Ending syscheck scan. > > >> 2010/09/30 09:08:11 ossec-syscheckd: INFO: Starting syscheck scan. > > > >> (syscheck running almost every 10 minutes) > > > >> Is this the 'default' if I don't specify a frequency (or comment it > > >> out), scan time or scan day (even though scan day doesn't work)? > > > >> I want to be able to kick syscheck off "on-demand" but am essentially > > >> trying to do it via cron (through agent_control) because I only want > > >> it to run once a week on early Sunday morning (and scan_day appears > > >> broken so there is no way to effectively do this otherwise). > > > >> Any help on this? > > > >> On Sep 28, 11:20 am, "dan (ddp)" <[email protected]> wrote: > > > >> > On Tue, Sep 28, 2010 at 1:31 PM, Jeremy Lee <[email protected]> wrote: > > >> > > That makes sense. I guess what I'd really want to see the option to > > >> > > push/update just a single 'config' file (ossec.conf) to all clients > > :) > > > >> > If the only configuration you do in the ossec.conf is the server IP, > > >> > then pushing out the agent.conf is basically what you're asking for.
