On Tue, Oct 25, 2016 at 11:03 AM, Matt <[email protected]> wrote: > I can definitely confirm that the FIM scan ISN'T paying attention to the > ossec.conf file on the Windows agent. Instead it is running based off the > config of the OSSEC Master server. Pasting in config from windows agent. > And I did add the new file and ignore flag to the master, just didn't remove > from agent. >
Which options specifically are being set (for the agent) from the OSSEC server's ossec.conf? > <!-- Syscheck - Integrity Checking config. --> > <syscheck> > > <!-- Default frequency, every 20 hours. It doesn't need to be higher > - on most systems and one a day should be enough. > --> > <frequency>16200</frequency> > <alert_new_files>yes</alert_new_files> > <auto_ignore>no</auto_ignore> > > On Wednesday, October 19, 2016 at 12:11:20 PM UTC-7, dan (ddpbsd) wrote: >> >> On Oct 19, 2016 12:08 PM, "Matt" <[email protected]> wrote: >> > >> > Thank you both, I appreciate it. >> > >> > I added the config to the global file instead of the local file. >> > >> > So, I think realtime is behaving now, but not the rest. It's my >> > understanding the scan frequency for the agent is set on the agent, not the >> > global level. I've set the agent to about an hour, but it's not noting >> > changes for the non realtime. I'm ok with setting it to less frequent and >> > will try 4 hours next, and then a longer period after that. Unless it's all >> > set on the global level (master server is 20hr), which didn't seem to be >> > the >> > case? >> > >> >> Frequency is handled in the agent's ossec.conf. >> >> > Thanks, >> > Matthew >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
