Hi Matt,

As we can see, Syscheck isn't very accurate with time for three main 

   1. In order not to impact the system performance, Syscheck sleeps two 
   seconds for every 15 checked files. You can change this by changing the 
   settings "syscheck.sleep" and "syscheck.sleep_after" at file 
   *internal_options.conf*. For example, you can set "syscheck.sleep=0" in 
   a testing environment. I don't recommend you to set this value in a 
   production environment, although you can reduce the sleep time to 1 second 
   or increase the sleep_after to 50 files.
   2. After the Syscheck scan, the Rootcheck scan gets launched, and the 
   real-time monitor doesn't work until Rootcheck has ended.
   3. Sometimes Syscheck sleeps 5 minutes after a complete cycle 
   (syscheck+rootcheck+realtime monitoring).

I saw a little misconfiguration in your ossec.conf file: settings 
<alert_new_files> and <auto_ignore> are OK but they must be at the manager, 
not at the agent.

By last, note that the first Syscheck scan will never produce neither 
alerts about new files nor file changes reports, this is because Syscheck 
generates and sends a database to the server at each scan. The manager 
works by analyzing the differences between different versions of the 
database, but the first time the manager has no database and can't produce 

Hope it helps.

Best regards,


On Saturday, October 15, 2016 at 1:10:25 AM UTC+2, Matt wrote:
> I've changed the scan frequency to 40 minutes, and realtime isn't working. 
> I've edited files 2 times, nothing. Hopefully it at least fires off when 
> the next scan happens.
> On Friday, October 14, 2016 at 11:06:53 AM UTC-7, Matt wrote:
>> Hello,
>> I just installed OSSEC in the Azure space, HIDS seems ok but FIM isn't 
>> behaving consistently.
>> First realtime monitoring simply isn't working. FIM only seem to work 
>> when the scan runs, which I have set to 10 minutes for testing. Second I 
>> only seem to get a fraction of the changes I've made. For testing I have 4 
>> folder, and I make 2 changes in each folder, usually an edit and a delete 
>> and/or add. I just did that 2 time sin the last hour, so 16 changes, and I 
>> received only alerts for 3 of those changes.
>> The OSSEC Manager server is CentOS, the agent is Windows Server 2012 R2. 
>> The agent does say "INFO: Real time file monitoring started.".
>> Following are the configs for the manager server and the agent server. Is 
>> there something I am missing? 
>> Manager
>> <ossec_config>
>>   <global>
>>     <email_notification>yes</email_notification>
>>     <email_maxperhour>500</email_maxperhour>
>>     <email_to>reda...@redacted.com <javascript:></email_to>
>>     <smtp_server>redacted.redacted.com</smtp_server>
>>     <email_from>reda...@redacted.com <javascript:></email_from>
>>     <logall>yes</logall>
>>   </global>
>> Agent, yes the lines are intentionally each a little different for the 
>> directories to monitor while fiddling with this. If one is wrong please let 
>> me know.
>>   <!-- Syscheck - Integrity Checking config. -->
>>   <syscheck>
>>     <!-- Default frequency, every 20 hours. It doesn't need to be higher
>>       -  on most systems and one a day should be enough.
>>       -->
>>     <frequency>600</frequency>
>>     <alert_new_files>yes</alert_new_files>
>>     <auto_ignore>no</auto_ignore>
>>     <!-- By default it is disabled. In the Install you must choose
>>       -  to enable it.
>>       -->
>>     <disabled>no</disabled>  
>>     <directories check_all="yes" realtime="yes">C:\TestOSS1</directories>
>>     <directories realtime="yes" check_all="yes">C:\TestOSS2</directories>
>>     <directories check_all="yes" report_changes="yes" 
>> realtime="yes">C:\TestOSS3</directories>
>>     <directories realtime="yes" report_changes="yes" 
>> check_all="yes">C:\TestOSS4</directories>
>>     <!-- Default files to be monitored - system32 only. -->
>>     <directories check_all="yes">%WINDIR%/win.ini</directories>
>>     <directories check_all="yes">%WINDIR%/system.ini</directories>
>> Thanks,
>> Matt


You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to