It is possible that you are scanning too many files/ folders that can cause a very long scan time (many hours) OSSEC limits the rate of the scans in order not to consume too many system resources. A new scan will not start while the prev one did not finish.
Please verify in the client log how much time there is between 2 consecutive syscheck scans. -Roy On Friday, February 7, 2014 10:27:10 AM UTC-8, Sean Jackson wrote: > > On my server, this is the setting I have: > > <syscheck> > <!-- Frequency that syscheck is executed -- default every 20 hours --> > <!-- 15 min = 900 --> > <!-- 20 hours = 72000 --> > <frequency>300</frequency> > > And on the shared agent.conf, this is what I have: > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours > --> > <frequency>300</frequency> > > Per my understanding, the agents and server should all be scanning every 5 > minutes. Am I incorrect? > > > > > On Thursday, February 6, 2014 1:05:11 PM UTC-7, Sean Jackson wrote: >> >> These emails come during the morning, and the on-call guys are weary from >> getting them when they come. >> >> Can anyone help me tune OSSEC so they come closer to when changes were >> made (the changes in these examples happened 12-14 hours earlier)? >> >> OSSEC HIDS Notification. >> 2014 Feb 06 04:40:34 >> >> Received From: (xxxxxxxxxx) XXX.XX.58.194->syscheck >> Rule: 550 fired (level 7) -> "Integrity checksum changed." >> Portion of the log(s): >> >> Integrity checksum changed for: '/usr/bin/git-check-attr' >> Size changed from '1412976' to '1417808' >> Old md5sum was: '10dfa23bcacb1913419d4ca65a6442e2' >> New md5sum is : 'd59af7c52c919ad764b9a7c6ee9e997a' >> Old sha1sum was: '67ec1ab51b102638a4dbfdda2e5e0e38a29b0a5b' >> New sha1sum is : '9241833f9901325ac39916b95cfa192d24a2cb20' >> >> >> >> --END OF NOTIFICATION >> >> >> >> OSSEC HIDS Notification. >> 2014 Feb 06 04:40:38 >> >> Received From: (xxxxxxxx) XXX.XX.58.194->syscheck >> Rule: 550 fired (level 7) -> "Integrity checksum changed." >> Portion of the log(s): >> >> Integrity checksum changed for: '/usr/bin/git-merge' >> Size changed from '1412976' to '1417808' >> Old md5sum was: '10dfa23bcacb1913419d4ca65a6442e2' >> New md5sum is : 'd59af7c52c919ad764b9a7c6ee9e997a' >> Old sha1sum was: '67ec1ab51b102638a4dbfdda2e5e0e38a29b0a5b' >> New sha1sum is : '9241833f9901325ac39916b95cfa192d24a2cb20' >> >> >> >> --END OF NOTIFICATION >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
