Yeah I agree. The random window is good. Would be good if it was configurable though because that window might not amount to much if you have a lot of agents at a particular interval. I think having an hour random time for me should be sufficient, but others might not like a whole hour.
On Feb 10, 5:34 am, "dan (ddp)" <[email protected]> wrote: > On Thu, Feb 9, 2012 at 3:04 PM, BP9906 <[email protected]> wrote: > > Is it possible to have multiple start times for Syscheck? > > > I tried > > <scan_time>05:00,11:00,18:00</scan_time> > > > but the ossec agent complains about it. > > I'm going to try > > <scan_time>05:00</scan_time> > > <scan_time>11:00</scan_time> > > <scan_time>18:00</scan_time> > > > Just trying to find a happy medium here. > > > The problem is that if I use frequency to every 6-7 hrs it causes a > > UDP storm from 30+ machines for syscheck data on top of the usual > > alert sending. I've maxed out the buffer size on my linux kernel, > > ossec server agent count is very high, and the server can handle it, > > just that there's so much that the ossec server doesnt read the buffer > > fast enough for the data coming through so I get intermittent results/ > > data for the roughly 30 min window while all these machines send their > > syscheck results. > > > It would be nice to be able to give syscheck a random 2hr window to > > the start time to reduce this chance, or to be able to stagger out the > > machines in separate agent.conf configs based on multiple start times. > > I like the randomized start time idea. Something like "run every 6-ish > hours, but start 1-30 minutes after the 6 hour mark."
