Hi,
I'm trying to configure real time notification of some servers. After
editing ossec.conf:
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>3600</frequency>
<alert_new_files>yes</alert_new_files>
<scan_on_start>no</scan_on_start>
<auto_ignore>no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories realtime="yes" report_changes="yes"
check_all="yes">/etc,/var/spool/cron</directories>
<directories realtime="yes" check_all="yes">/home/user123</directories>
<directories
check_all="yes">/home,/root,/usr,/bin,/sbin,/var/www</directories>
and restarting "/var/ossec/bin/ossec-control restart" I'm waiting to see
in ossec.log "Real time file monitoring started."
But this takes too long:
2013/11/13 09:08:25 ossec-syscheckd: INFO: Starting syscheck scan
(forwarding database).
2013/11/13 09:08:25 ossec-syscheckd: INFO: Starting syscheck database
(pre-scan).
2013/11/13 09:08:25 ossec-syscheckd: INFO: Initializing real time file
monitoring (not started).
2013/11/13 09:09:47 ossec-syscheckd: ERROR: Unable to run diff for
/etc/prelink.cache
2013/11/14 12:42:29 ossec-syscheckd: INFO: Real time file monitoring
started.
2013/11/14 12:42:29 ossec-syscheckd: INFO: Finished creating syscheck
database (pre-scan completed).
2013/11/14 12:42:41 ossec-syscheckd: INFO: Ending syscheck scan (forwarding
database).
2013/11/14 12:43:01 ossec-rootcheck: INFO: Starting rootcheck scan.
2013/11/14 13:19:52 ossec-rootcheck: INFO: Ending rootcheck scan.
2013/11/14 13:44:52 ossec-syscheckd: INFO: Starting syscheck scan.
2013/11/15 10:07:16 ossec-syscheckd: INFO: Starting syscheck scan
(forwarding database).
2013/11/15 10:07:16 ossec-syscheckd: INFO: Starting syscheck database
(pre-scan).
2013/11/15 10:07:16 ossec-syscheckd: INFO: Initializing real time file
monitoring (not started).
2013/11/15 12:33:19 ossec-syscheckd: WARN: Error opening directory:
'/var/lib/mysql': Too many levels of symbolic links
2013/11/15 12:33:19 ossec-syscheckd: INFO: Finished creating syscheck
database (pre-scan completed).
2013/11/15 12:33:31 ossec-syscheckd: INFO: Ending syscheck scan (forwarding
database).
2013/11/15 12:33:51 ossec-syscheckd: INFO: Starting real time file
monitoring.
2013/11/15 12:33:51 ossec-rootcheck: INFO: Starting rootcheck scan.
2013/11/15 12:50:14 ossec-rootcheck: INFO: Ending rootcheck scan.
Currently most of the time is spent adding /home/user123 directories for
realtime monitoring which are 2869.
Is there an obvious reason for this? It's mentioned in the documentation
that this process is taking no longer than 30 min.
Thanks,
Irena
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
