[ossec-list] Re: .delayed realtime messages

[Oğuz Yarımtepe]

Can this be because of my global email settings is as below?


<global>
    <email_notification>yes</email_notification>
    <email_to>us...@foo.com</email_to>
    <email_to>us...@foo.com</email_to>
    <smtp_server>ap-smtp-ggrc.pool.gittigidiyor.net</smtp_server>
    <email_from>oss...@warn.foo.com</email_from>
    <email_maxperhour>1</email_maxperhour>
  </global>






I changed the email_maxperhour to 1000. Should i use do_not_dleya?



26 Ocak 2018 Cuma 15:28:15 UTC+3 tarihinde Oğuz Yarımtepe yazdı:
>
> Belay is my agent.conf
>
> <agent_config profile="LinuxGeneral">
>
>   <syscheck>
>     <!-- Frequency that syscheck is executed -- default every 6 hours -->
>     <frequency>21600</frequency>
>     <!-- <scan_on_start>yes</scan_on_start> -->
>     <skip_nfs>yes</skip_nfs>
>     <alert_new_files>yes</alert_new_files>
>     <auto_ignore>no</auto_ignore>
>
>     <!-- Directories to check  (perform all possible verifications) -->
>     <directories realtime="yes" check_all="yes" 
> report_changes="yes">/usr/local/etc</directories>
>     <directories realtime="yes" check_all="yes" 
> report_changes="yes">/lib,/lib64,/usr/lib,/usr/lib64</directories>
>     <directories realtime="yes" check_all="yes" 
> report_changes="yes">/usr/local/bin</directories>
>     <directories realtime="yes" check_all="yes" 
> report_changes="yes">/usr/local/sbin</directories>
>     <directories realtime="yes" check_all="yes" 
> report_changes="yes">/usr/local/lib</directories>
>     <directories realtime="yes" check_all="yes" 
> report_changes="yes">/usr/local/lib64</directories>
>     <directories realtime="yes" check_all="yes" 
> report_changes="yes">/home/cyblnxadm</directories>
>     <directories check_all="yes" realtime="yes" 
> report_changes="yes">/etc,/usr/bin,/usr/sbin</directories>
>     <directories check_all="yes" realtime="yes" 
> report_changes="yes">/bin,/sbin,/boot</directories>
>
>     <!-- Files/directories to ignore -->
>     <ignore>/etc/mtab</ignore>
>     <ignore>/etc/hosts.deny</ignore>
>     <ignore>/etc/mail/statistics</ignore>
>     <ignore>/etc/random-seed</ignore>
>     <ignore>/etc/random.seed</ignore>
>     <ignore>/etc/adjtime</ignore>
>     <ignore>/etc/httpd/logs</ignore>
>     <ignore>/etc/utmpx</ignore>
>     <ignore>/etc/wtmpx</ignore>
>     <ignore>/etc/cups/certs</ignore>
>     <ignore>/etc/dumpdates</ignore>
>     <ignore>/etc/svc/volatile</ignore>
>     <ignore>/var/ossec</ignore>
>
>
>     <!-- Check the file, but never compute the diff -->
>     <nodiff>/etc/ssl/private.key</nodiff>
>   </syscheck>
>
>   <rootcheck>
>     <disabled>no</disabled>
>     <skip_nfs>yes</skip_nfs>
>     <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
>     <system_audit>/var/ossec/etc/shared/system_audit_ssh.txt</system_audit>
>     
> <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
>     
> <system_audit>/var/ossec/etc/shared/cis_rhel6_linux_rcl.txt</system_audit>
>     
> <system_audit>/var/ossec/etc/shared/cis_rhel7_linux_rcl.txt</system_audit>
>     <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
>     
> <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
>   </rootcheck>
>
>   <localfile>
>     <log_format>syslog</log_format>
>     <location>/var/log/messages</location>
>   </localfile>
>
>   <localfile>
>     <log_format>syslog</log_format>
>     <location>/var/log/secure</location>
>   </localfile>
>
>   <localfile>
>     <log_format>syslog</log_format>
>     <location>/var/log/maillog</location>
>   </localfile>
>
> </agent_config>
>
>
>
> when i change a file under /home/cyblnxadm, i get the email after 1 hour. 
> Any idea about the delay? My real time monitoring is started and i can see 
> that at the logs. But the messages are coming delayed. 
> I am using Centos7 and and installed ossec agent using atomicrepo.
>
>
>     
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.