So after some investigating it seems what's ACTUALLY happening is that the realtime notifications aren't working, and the syscheck 20 hour scan is picking up the changes. Thus, one could reasonably (I think) interpret this as delayed realtime notifications.
I certainly have the realtime="yes" option set for these directories, and the inotify package installed. Anything else I'm missing? Might give the agents a restart just in case. On Thursday, April 14, 2016 at 2:21:02 PM UTC-4, thak wrote: > > I hadn't really considered the mail server may be the problem - we > naturally utilize sendmail to offload the notifications and route them > through our corporate O365 exchange server. > > I was getting some integrity changes hours after the changes actually > occurred (on boxes with realtime=yes and inotify packages installed). I > also double checked my inbox, and this particular alert (for a file being > re-added, i.e. a new version) only appears once in my inbox. > > On Wednesday, April 6, 2016 at 4:40:08 PM UTC-4, [email protected] wrote: >> >> did you look to maillog of your server ? >> When were actual sent notifications ? >> Email may be deferred by couple of reasons: >> * graylisting >> * mail server overloading or even inactivvity. >> >> If you want fast and reliable delivery - try to setup additional >> notification engine. >> We choose slack, but there're couple of chat systems, that can receive >> notifications by their api. >> >> среда, 6 апреля 2016 г., 17:33:03 UTC+4 пользователь thak написал: >>> >>> Any idea what the likely reason would be for this? We were installing >>> some diagnostic packages yesterday afternoon, but I didn't get email >>> notifications until 0430 today. >>> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
