I can't think of a reason for the syscheck db to be written to when there were no changes.
`/var/ossec/bin/syscheck_control -i AGENT_ID` will show the timestamp of the changes for AGENT. You can also check the agent's ossec.log file for entries about syscheck running. On Tue, Nov 29, 2011 at 8:44 PM, Marcos Tang <[email protected]> wrote: > Hi, > > I have a question about the behavior of the <frequency> parameter inside the > agent.conf file. > > Right now, the OSSEC agent has the agent.conf file with > <frequency>86400</frequency> setup, or it will scan the files every 20 > hours. > > One observation from the OSSEC server is the timestamp of the output > integrity files found at /opt/ossec/queue/syscheck/ is not updated very 20 > hours. I can see some files are created back to 1 month ago. > > Is it true if there is no file change on the OSSEC agent, will the timestamp > of the corresponding syscheck file at the OSSEC server gets updated every 20 > hours? Or it will not be updated until some changes are detected? > > Remarks: The output of "syscheck_control -l" shows that OSSEC agent is > ACTIVE all the time. So I think the communication between them should be ok. > > Regards, > Marcos
