Added it to bitbucket. https://bitbucket.org/dcid/ossec-hids/issue/35/syscheck-agentconf-configurable-random
Hopefully something we could get added in a near release. :) On Feb 14, 7:18 am, "dan (ddp)" <[email protected]> wrote: > Agree, 100%. > > > > > > > > On Fri, Feb 10, 2012 at 6:23 PM, BP9906 <[email protected]> wrote: > > Yeah I agree. The random window is good. Would be good if it was > > configurable though because that window might not amount to much if > > you have a lot of agents at a particular interval. I think having an > > hour random time for me should be sufficient, but others might not > > like a whole hour. > > > On Feb 10, 5:34 am, "dan (ddp)" <[email protected]> wrote: > >> On Thu, Feb 9, 2012 at 3:04 PM, BP9906 <[email protected]> wrote: > >> > Is it possible to have multiple start times for Syscheck? > > >> > I tried > >> > <scan_time>05:00,11:00,18:00</scan_time> > > >> > but the ossec agent complains about it. > >> > I'm going to try > >> > <scan_time>05:00</scan_time> > >> > <scan_time>11:00</scan_time> > >> > <scan_time>18:00</scan_time> > > >> > Just trying to find a happy medium here. > > >> > The problem is that if I use frequency to every 6-7 hrs it causes a > >> > UDP storm from 30+ machines for syscheck data on top of the usual > >> > alert sending. I've maxed out the buffer size on my linux kernel, > >> > ossec server agent count is very high, and the server can handle it, > >> > just that there's so much that the ossec server doesnt read the buffer > >> > fast enough for the data coming through so I get intermittent results/ > >> > data for the roughly 30 min window while all these machines send their > >> > syscheck results. > > >> > It would be nice to be able to give syscheck a random 2hr window to > >> > the start time to reduce this chance, or to be able to stagger out the > >> > machines in separate agent.conf configs based on multiple start times. > > >> I like the randomized start time idea. Something like "run every 6-ish > >> hours, but start 1-30 minutes after the 6 hour mark."
