Belay is my agent.conf
<agent_config profile="LinuxGeneral">
<syscheck>
<!-- Frequency that syscheck is executed -- default every 6 hours -->
<frequency>21600</frequency>
<!-- <scan_on_start>yes</scan_on_start> -->
<skip_nfs>yes</skip_nfs>
<alert_new_files>yes</alert_new_files>
<auto_ignore>no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories realtime="yes" check_all="yes"
report_changes="yes">/usr/local/etc</directories>
<directories realtime="yes" check_all="yes"
report_changes="yes">/lib,/lib64,/usr/lib,/usr/lib64</directories>
<directories realtime="yes" check_all="yes"
report_changes="yes">/usr/local/bin</directories>
<directories realtime="yes" check_all="yes"
report_changes="yes">/usr/local/sbin</directories>
<directories realtime="yes" check_all="yes"
report_changes="yes">/usr/local/lib</directories>
<directories realtime="yes" check_all="yes"
report_changes="yes">/usr/local/lib64</directories>
<directories realtime="yes" check_all="yes"
report_changes="yes">/home/cyblnxadm</directories>
<directories check_all="yes" realtime="yes"
report_changes="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes" realtime="yes"
report_changes="yes">/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/var/ossec</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
</syscheck>
<rootcheck>
<disabled>no</disabled>
<skip_nfs>yes</skip_nfs>
<system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt</system_audit>
<system_audit>/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt</system_audit>
<rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
<rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
</rootcheck>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/secure</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maillog</location>
</localfile>
</agent_config>
when i change a file under /home/cyblnxadm, i get the email after 1 hour.
Any idea about the delay? My real time monitoring is started and i can see
that at the logs. But the messages are coming delayed.
I am using Centos7 and and installed ossec agent using atomicrepo.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
