Hi, syscheck.sleep_after minimum value is 1, you can't set 0, anyway once you set syscheck.sleep to 0, sleep_after does not matter because it won't sleep in any case.
Regarding to syscheck frequency, remember never set it lower than 300 and be aware that if you are using the default values of sleep_after and sleep, syscheck will take more than 300 seconds to finish. Meaning that syscheck frequency will be higher than the time it's needed to scan the full database. Best regards, Pedro S. On Wed, Jun 29, 2016 at 2:35 AM, Tahir Hafiz <[email protected]> wrote: > Hi Pedro, > > I will set-up the OSSEC sleep to 0 (syscheck.sleep). > When you set sleep to 0, what value do you set for syscheck.sleep_after? > Do you set that to 0 as well? > > I will also set the frequency that syscheck is executed to about 600 > seconds or so to be on the safe side and then test for 500, and then 400. > > Cheers > > > > > > > On Tuesday, 28 June 2016 08:10:12 UTC+1, Pedro S wrote: >> >> Hi Tahir, >> >> We have been experimenting with those values of syscheck, I can tell you >> it's like SUPER FAST when you set sleep to 0, I have some videos recorded >> about how can OSSEC completes a 3000 files database in few seconds. >> On my tests OSSEC can works with 0 sleep but be aware because the agent >> will consume all the CPU in few seconds. The agent must no to cause any >> risk to the endpoint, that's why sleeps is used sometimes to prevent the >> Agent to collapse the CPU. >> >> Regarding to the frequency, right now OSSEC has a 300 seconds(here >> <https://github.com/wazuh/ossec-wazuh/blob/ef7a1d113183fcf8f83bd9022d724ddb9228ce94/src/syscheckd/run_check.c#L297>) >> sleep on Syscheck, so <frequency> must be set to a minimum of 300s (I >> recommend a little bit more seconds or lower the hardcoded sleep). >> >> Best regards, >> >> Pedro S. >> >> >> On Mon, Jun 27, 2016 at 7:01 AM, Tahir Hafiz <[email protected]> wrote: >> >>> We are looking at performance testing/tuning OSSEC. >>> As many of you are aware there is a configuration option in OSSEC's >>> internal_options.conf file for changing the following: >>> >>> syscheck.sleep=2 >>> >>> >>> >>> >>> syscheck.sleep_after=15 >>> >>> I am wondering if anyone has modified these parameters and to what >>> effect long-term? >>> Is it safe to set these to syscheck.sleep to zero and syscheck.sleep to >>> 128 long term? >>> >>> >>> Also, within the ossec.conf file itself there is a syscheck paramater >>> for "frequency", we have changed this to half an hour (1800 seconds), >>> is it safe to change this to 10 minutes (600 seconds) in the long term? >>> >>> Cheers >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
