Thanks! it didn't occur to me that using realtime and report_changes together could cause issues. I will have to test this and see how it works. I realized that syscheck doesn't monitor new files until after it finishes the hardway, when i was trying to troubleshoot reporting and why it was taking so long. Thanks again for the help!
On Thursday, March 3, 2016 at 2:47:32 PM UTC-5, Santiago Bassett wrote: > > Afaik, ignore option has always worked fine, meaning that those files are > not scanned/monitored. Joseph, I would say problem is caused because you > are using realtime and report_changes together (pretty sure this could fill > up your hard disk space quickly). > > Here are a couple of issues to keep in mind with realtime option: > > - It doesn't monitor files when rootcheck is running (meaning that it can > take actually a while to report the file change, could be several minutes) > > - It doesn't monitor new files, until the next iteration of syscheck (a > while loop), when file descriptors are reset for the directory monitored in > realtime. This can take SYSTEM_WAIT (300 seconds, hardcoded) + time to run > the syscheck + time to run the rootcheck. > Hope that helps > > On Thu, Mar 3, 2016 at 10:35 AM, dan (ddp) <ddp...@gmail.com <javascript:> > > wrote: > >> On Thu, Mar 3, 2016 at 1:27 PM, Santiago Bassett >> <santiago...@gmail.com <javascript:>> wrote: >> > Weird, are you sure the ignored directories are getting scanned? Maybe >> have >> > a duplicated directory given to the Syscheck both in ossec.conf and >> > agent.conf? >> > >> >> Unless something has changed, that's been the way it's worked for years >> now. >> >> > >> > On Thu, Mar 3, 2016 at 7:00 AM, Joseph cosgrove <joecos...@gmail.com >> <javascript:>> >> > wrote: >> >> >> >> I have a large number of applications that i need to monitor and i was >> >> wondering if there is a syscheck configuration option that i can use >> that >> >> will not scan certain directories and/or files(similar to the way the >> >> skip_nfs aborts syschecks). I have my agent_conf set to ignore the >> >> directories that i want to ignore, however syscheck still scans on the >> >> agents and creates entries in /var, potentially filling up diskspace. >> Given >> >> the large number of apps that we have, writing custom rules to remedy >> this >> >> is tedious. >> >> I have my agent configuration scanning in real time like this: >> >> <directories check_all="yes" realtime="yes" >> >> >> report_changes="yes">path/to/dir</directories><ignore>path/to/logs</ignore> >> >> >> >> >> >> >> >> >> >> This is what is listed in the Documentation, is there a config option >> >> anyone can think of that will help with my issue? >> >> >> >> ignore >> >> >> >> List of files or directories to be ignored (one entry per element). The >> >> files and directories are still checked, but the results are ignored. >> >> >> >> Default: /etc/mtab >> >> >> >> Attributes: >> >> >> >> type: Value=sregex >> >> >> >> This is a simple regex pattern to filter out files so alerts are not >> >> generated. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> an >> >> email to ossec-list+...@googlegroups.com <javascript:>. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to ossec-list+...@googlegroups.com <javascript:>. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
