I have a client setup with an ossec manager (v2.6) and 10 ossec agents
(v2.6) using centralized configuration (agent.conf). My agent.conf
looks like this (server names and directories sanitized for public
forum):
<agent_config>
<syscheck>
<alert_new_files>yes</alert_new_files>
<frequency>3600</frequency>
<disabled>no</disabled>
</syscheck>
</agent_config>
<agent_config name="enter_server_name">
<syscheck>
<directories check_all="yes">enter_custom_directory</directories>
<!-- Default files to be monitored - system32 only. -->
<directories check_all="yes">%WINDIR%/win.ini</directories>
<directories check_all="yes">%WINDIR%/system.ini</directories>
<directories check_all="yes">C:\autoexec.bat</directories>
<directories check_all="yes">C:\config.sys</directories>
<directories check_all="yes">C:\boot.ini</directories>
<directories check_all="yes">%WINDIR%/System32/CONFIG.NT</
directories>
<directories check_all="yes">%WINDIR%/System32/AUTOEXEC.NT</
directories>
<directories check_all="yes">%WINDIR%/System32/at.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/attrib.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/cacls.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/debug.exe</
directories>
<directories check_all="yes">%WINDIR%/System32/drwatson.exe</
directories>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</
windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</
windows_registry>
</syscheck>
</agent_config>
The agent's ossec.conf looks like this:
<ossec_config>
<client>
<server-ip>999.999.999.999</server-ip>
</client>
</ossec_config>
Everything is working as it should. The agents alert for registry
changes, new files, etc. However the frequency is not working. For
some agents when queried in agent control, they show syscheck as last
completed 22 hours ago... for others it's less than an hour ago. As I
understand it, the <agent_config> blocks should be cumulative.
I've checked the syscheck directory and all of the db files have .cpt
files showing they completed at least once. Additionally, I checked
the md5 sum of the server agent.conf and it matches the md5 of the
agent.conf on the agents.
Furthermore, the agent_control timestamps show that syscheck completed
within 10 minutes... with a frequency of an hour, I don't think that
should be an issue.
Is there any reason the frequency specified (3600) is not working as
it should? Any troubleshooting steps I can perform to find out the
cause of syscheck frequency not working?
I sincerely appreciate your response!
