On Jul 8, 2015 5:57 AM, "Chinguun Bayar" <[email protected]> wrote: > > Hello guys? > > I have configured OSSec server(running in UBuntu) and with two agents(1 centos,1 windows).Almost working well. But i have a few question. > 1.when i changed file in linux age rule triggered alert almost 4 minute (i've configured frequency 60 both in server and agent ) . what's wrong with it?
60 seconds is too short a time period. OSSEC will run scans periodically, but it won't start a new one until the previous has finished, and the frequency set isn't precise. If you want quicker notifications of modified files, use the inotify support for near realtime alerting. > 2.What is the difference between agent and server frequency ? How they work? There are a number of configurable frequencies, which do you mean? > 3.Where is stored log from agent in server ? How they know file changed ? where is store previous hash ?? > Alerts are recorded in /var/ossec/logs/alerts. File hashes are reported from the agent to the manager. Current syscheck data is stored in /var/ossec/queue/syscheck. > thanks > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
