On Mon, Nov 21, 2016 at 7:34 AM, Yousif Johny <[email protected]> wrote: > Hi all, > > I've been having this weird issue with OSSEC. I setup an agent in one > server, and things seem okay at first. > > When I modify a file that is being monitored (/etc/passwd) I'd have to wait > a significant time for it to trigger an alert (unless I manually run the > syscheckd). So I went to /var/ossec/etc/ossec.conf (on the Server being > monitored side) and modified it as follows: > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>30</frequency> > > <!-- Directories to check (perform all possible verifications) --> > <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> > <directories check_all="yes">/bin,/sbin</directories> > > > So the frequency is 30 (which I believe is in seconds). > > Correct me if I'm wrong, but I thought this would mean the syscheck would > run every 30 seconds? meaning if I modify a file, it'll take a max of 30 > seconds for it to trigger an alert, right? > > If so, then why is it not triggering? I've been waiting for minutes and > minutes and nothing happens. This has been puzzling me. >
30 seconds is too small. Depending on the system, about 300 seems to be the minimum. The more files you're monitoring, the longer it will take, so the higher the frequency that should be set. > > Thank you. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
