I can not definitely confirm that the FIM scan ISN'T paying attention to
the ossec.conf file on the Windows agent. Instead it is running based off
the config of the OSSEC Master server. Pasting in config from windows
agent. And I did add the new file and ignore flag to the master, just
didn't remove from agent.
<!-- Syscheck - Integrity Checking config. -->
<syscheck>
<!-- Default frequency, every 20 hours. It doesn't need to be higher
- on most systems and one a day should be enough.
-->
<frequency>16200</frequency>
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>
On Wednesday, October 19, 2016 at 12:11:20 PM UTC-7, dan (ddpbsd) wrote:
> On Oct 19, 2016 12:08 PM, "Matt" <[email protected] <javascript:>> wrote:
> >
> > Thank you both, I appreciate it.
> >
> > I added the config to the global file instead of the local file.
> >
> > So, I think realtime is behaving now, but not the rest. It's my
> understanding the scan frequency for the agent is set on the agent, not the
> global level. I've set the agent to about an hour, but it's not noting
> changes for the non realtime. I'm ok with setting it to less frequent and
> will try 4 hours next, and then a longer period after that. Unless it's all
> set on the global level (master server is 20hr), which didn't seem to be
> the case?
> >
>
> Frequency is handled in the agent's ossec.conf.
>
> > Thanks,
> > Matthew
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
