Hi, The configuration parser allows multiple definitions of <syscheck>. OSSEC reads the *ossec.conf* file first, and then *agent.conf* (only in agents).
The <directories> option is aggregable so all directories specified will be monitored. On the other hand, value-based options (like <frequency>) are overwritten. So the option <frequency>120</frequency> Is applying. The Syscheck frequency is not accurate with low intervals. This is because Syscheck performs some delays in order to guarantee a low-performance impact. After performing a complete scan, it makes a pause depending on the configuration: - If any directory has been set for real-time monitoring, Syscheck waits for 5 minutes until any file changes. After reporting all the files changed, it will wait for 5 minutes while it's not the time to perform a new complete scan. - If real-time was not enabled for any directory, Syscheck sleeps for 5 minutes. This value of 5 minutes is not configurable in OSSEC. You surely have not enabled real-time, so the frequency of 120 seconds is applying. However, the application is sleeping for 5 minutes between a scan ending and the beginning of the next one. If you use higher values like 20 and 10 minutes, you'll be able to see that the last <frequency> option always applies. Hope it help. Best regards, <https://wazuh.com/> *Victor M Fernandez-Castro* IT Engineer — *Wazuh, Inc.* On Mon, Feb 26, 2018 at 2:03 AM, dan (ddp) <ddp...@gmail.com> wrote: > On Wed, Feb 21, 2018 at 2:18 PM, Jorge Martins <jorge.mart...@wemake.pt> > wrote: > > Hi, > > > > > > Why wonder if this is the expected behaviour for syscheck > > > > > > I tried having 2 differents frequencies so I tested by adding 2 entries > of > > <syscheck> on the ossec.conf, one having a 5 minutes frequency and other > 2 > > minutes. > > > > > > <syscheck> > > <disabled>no</disabled> > > <frequency>300</frequency> > > > > <directories check_all="yes">E:/syscheck1</directories> > > </syscheck> > > > > > > <syscheck> > > <disabled>no</disabled> > > <frequency>120</frequency> > > > > <directories check_all="yes">E:/syscheck2</directories> > > </syscheck> > > > > > > What happen was this: > > > > Either where recognized by the agent > > > > > > 2018/02/21 18:49:30 ossec-agent: INFO: Monitoring directory: > 'E:/syscheck1', > > with options perm | size | owner | group | md5sum | sha1sum | mtime | > inode. > > 2018/02/21 18:49:30 ossec-agent: INFO: Monitoring directory: > 'E:/syscheck2', > > with options perm | size | owner | group | md5sum | sha1sum | mtime | > inode. > > > > The scan frequency anounced on the log was the second one > > > > > > 2018/02/21 18:50:00 ossec-agent: INFO: Syscheck scan frequency: 120 > seconds > > > > > > But the frequency adopted was the first one (5 minutes) > > > > > > 2018/02/21 18:51:00 ossec-agent: INFO: Starting syscheck scan. > > 2018/02/21 18:51:31 ossec-agent: INFO: Ending syscheck scan. > > 2018/02/21 18:56:31 ossec-agent: INFO: Starting syscheck scan. > > 2018/02/21 18:57:15 ossec-agent: INFO: Ending syscheck scan. > > 2018/02/21 19:02:15 ossec-agent: INFO: Starting syscheck scan. > > 2018/02/21 19:02:57 ossec-agent: INFO: Ending syscheck scan. > > > > The agent reported correctly file changes in both folders > > > > Sounds like a bug in handling a bad configuration. > > > > > Thanks > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to ossec-list+unsubscr...@googlegroups.com. > > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
