On that note, I'm actually pushing out agent.conf with the frequency and scan_on_start settings in it. And it does seem to work so far.
On Sep 30, 10:54 am, "dan (ddp)" <[email protected]> wrote: > It works for me, nothing in my ossec.log about a scan being started. > > On Thu, Sep 30, 2010 at 1:47 PM, jplee3 <[email protected]> wrote: > > I tested more and initially it seemed like <frequency>0</frequency> > > did the trick but I noticed syscheck was still kicking off. This was > > after a couple restarts of OSSEC. I tried setting back to the value of > > seconds in a year and sure enough syscheck did not kick off. So I'm > > not sure that setting the frequency to 0 truly works. > > > On Sep 30, 9:19 am, "dan (ddp)" <[email protected]> wrote: > >> It looks like 600 is the default based on these snippets of code: > >> #define SYSCHECK_WAIT 300 > > >> syscheck.time = SYSCHECK_WAIT * 2; > > >> Setting <frequency>0</frequency> stopped syscheck from running on my > >> systems. > > >> On Thu, Sep 30, 2010 at 10:29 AM, jplee3 <[email protected]> wrote: > >> > I think I may have figured out a 'hackish' solution. I went ahead and > >> > set frequency to 31536000 (1 year...haha). As far as scan_on_start, I > >> > believe it does work - it seems OSSEC defaults to 10 minutes or 600 > >> > seconds if frequency or scan_time are not specified. Is this intended > >> > behavior? > > >> > On Sep 30, 6:16 am, jplee3 <[email protected]> wrote: > >> >> Here is what I see, and I think this across all my servers with this > >> >> config: > > >> >> 2010/09/30 07:52:32 ossec-syscheckd: INFO: Starting syscheck scan. > >> >> 2010/09/30 08:02:45 ossec-syscheckd: INFO: Ending syscheck scan. > >> >> 2010/09/30 08:17:45 ossec-syscheckd: INFO: Starting syscheck scan. > >> >> 2010/09/30 08:27:58 ossec-syscheckd: INFO: Ending syscheck scan. > >> >> 2010/09/30 08:42:58 ossec-syscheckd: INFO: Starting syscheck scan. > >> >> 2010/09/30 08:53:11 ossec-syscheckd: INFO: Ending syscheck scan. > >> >> 2010/09/30 09:08:11 ossec-syscheckd: INFO: Starting syscheck scan. > > >> >> (syscheck running almost every 10 minutes) > > >> >> Is this the 'default' if I don't specify a frequency (or comment it > >> >> out), scan time or scan day (even though scan day doesn't work)? > > >> >> I want to be able to kick syscheck off "on-demand" but am essentially > >> >> trying to do it via cron (through agent_control) because I only want > >> >> it to run once a week on early Sunday morning (and scan_day appears > >> >> broken so there is no way to effectively do this otherwise). > > >> >> Any help on this? > > >> >> On Sep 28, 11:20 am, "dan (ddp)" <[email protected]> wrote: > > >> >> > On Tue, Sep 28, 2010 at 1:31 PM, Jeremy Lee <[email protected]> wrote: > >> >> > > That makes sense. I guess what I'd really want to see the option to > >> >> > > push/update just a single 'config' file (ossec.conf) to all clients > >> >> > > :) > > >> >> > If the only configuration you do in the ossec.conf is the server IP, > >> >> > then pushing out the agent.conf is basically what you're asking for.
