On Thu, Feb 9, 2012 at 3:04 PM, BP9906 <[email protected]> wrote: > Is it possible to have multiple start times for Syscheck? > > I tried > <scan_time>05:00,11:00,18:00</scan_time> > > but the ossec agent complains about it. > I'm going to try > <scan_time>05:00</scan_time> > <scan_time>11:00</scan_time> > <scan_time>18:00</scan_time> > > Just trying to find a happy medium here. > > The problem is that if I use frequency to every 6-7 hrs it causes a > UDP storm from 30+ machines for syscheck data on top of the usual > alert sending. I've maxed out the buffer size on my linux kernel, > ossec server agent count is very high, and the server can handle it, > just that there's so much that the ossec server doesnt read the buffer > fast enough for the data coming through so I get intermittent results/ > data for the roughly 30 min window while all these machines send their > syscheck results. > > It would be nice to be able to give syscheck a random 2hr window to > the start time to reduce this chance, or to be able to stagger out the > machines in separate agent.conf configs based on multiple start times.
I like the randomized start time idea. Something like "run every 6-ish hours, but start 1-30 minutes after the 6 hour mark."
