As we can see, Syscheck isn't very accurate with time for three main
1. In order not to impact the system performance, Syscheck sleeps two
seconds for every 15 checked files. You can change this by changing the
settings "syscheck.sleep" and "syscheck.sleep_after" at file
*internal_options.conf*. For example, you can set "syscheck.sleep=0" in
a testing environment. I don't recommend you to set this value in a
production environment, although you can reduce the sleep time to 1 second
or increase the sleep_after to 50 files.
2. After the Syscheck scan, the Rootcheck scan gets launched, and the
real-time monitor doesn't work until Rootcheck has ended.
3. Sometimes Syscheck sleeps 5 minutes after a complete cycle
I saw a little misconfiguration in your ossec.conf file: settings
<alert_new_files> and <auto_ignore> are OK but they must be at the manager,
not at the agent.
By last, note that the first Syscheck scan will never produce neither
alerts about new files nor file changes reports, this is because Syscheck
generates and sends a database to the server at each scan. The manager
works by analyzing the differences between different versions of the
database, but the first time the manager has no database and can't produce
Hope it helps.
On Saturday, October 15, 2016 at 1:10:25 AM UTC+2, Matt wrote:
> I've changed the scan frequency to 40 minutes, and realtime isn't working.
> I've edited files 2 times, nothing. Hopefully it at least fires off when
> the next scan happens.
> On Friday, October 14, 2016 at 11:06:53 AM UTC-7, Matt wrote:
>> I just installed OSSEC in the Azure space, HIDS seems ok but FIM isn't
>> behaving consistently.
>> First realtime monitoring simply isn't working. FIM only seem to work
>> when the scan runs, which I have set to 10 minutes for testing. Second I
>> only seem to get a fraction of the changes I've made. For testing I have 4
>> folder, and I make 2 changes in each folder, usually an edit and a delete
>> and/or add. I just did that 2 time sin the last hour, so 16 changes, and I
>> received only alerts for 3 of those changes.
>> The OSSEC Manager server is CentOS, the agent is Windows Server 2012 R2.
>> The agent does say "INFO: Real time file monitoring started.".
>> Following are the configs for the manager server and the agent server. Is
>> there something I am missing?
>> Agent, yes the lines are intentionally each a little different for the
>> directories to monitor while fiddling with this. If one is wrong please let
>> me know.
>> <!-- Syscheck - Integrity Checking config. -->
>> <!-- Default frequency, every 20 hours. It doesn't need to be higher
>> - on most systems and one a day should be enough.
>> <!-- By default it is disabled. In the Install you must choose
>> - to enable it.
>> <directories check_all="yes" realtime="yes">C:\TestOSS1</directories>
>> <directories realtime="yes" check_all="yes">C:\TestOSS2</directories>
>> <directories check_all="yes" report_changes="yes"
>> <directories realtime="yes" report_changes="yes"
>> <!-- Default files to be monitored - system32 only. -->
>> <directories check_all="yes">%WINDIR%/win.ini</directories>
>> <directories check_all="yes">%WINDIR%/system.ini</directories>
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
For more options, visit https://groups.google.com/d/optout.