On Wed, Aug 17, 2011 at 5:22 AM, Demmy Adeyemo <[email protected]> wrote: > Hi Dan > > Thanks for your reply. on the ossec manual it says the value specified > in the frequency tag is in seconds, so i assumed 120 should be about 2 > minutes. from my logs, it shows that it takes less than a minute for > it to run, > > 2011/08/11 12:33:57 ossec-agent: INFO: Starting rootcheck scan. > > 2011/08/11 12:34:04 ossec-agent: INFO: Ending rootcheck scan. > > 2011/08/11 12:39:05 ossec-agent: INFO: Starting rootcheck scan. > > 2011/08/11 12:39:10 ossec-agent: INFO: Ending rootcheck scan. > > 2011/08/11 12:44:13 ossec-agent: INFO: Starting rootcheck scan. > > 2011/08/11 12:44:35 ossec-agent: INFO: Ending rootcheck scan. > > As shown even at <frequency>120</frequency> it runs every 5 minutes. > > How does ossec calculate the frequency cycle, can i possibly alter > that file to decrease the frequency cycle > OR > > How else can i make ossec monitor an alert on prohibited windows > application running in real time? > > Thanks in advance >
I don't know how to do this. The OSSEC code is open source, so you can try to figure out how to make it run quicker.
