On Fri, Jan 25, 2019 at 4:26 AM Oliver Wittenburg <[email protected]> wrote: > > Hi all, > > i have a perhaps stupid ossec beginners question. > My syscheck configuration is: > > <syscheck> > <frequency>3600</frequency> > <scan_on_start>yes</scan_on_start> > <skip_nfs>yes</skip_nfs> > <alert_new_files>yes</alert_new_files> > <auto_ignore>no</auto_ignore> > <directories realtime="no" check_all="yes" > report_changes="yes">/boot</directories> > <directories realtime="no" check_all="yes" > report_changes="yes">/etc</directories> > <directories realtime="no" check_all="yes" > report_changes="yes">/usr/local/etc</directories> > <directories realtime="no" check_all="yes">/bin</directories> > <directories realtime="no" check_all="yes">/usr/bin</directories> > <directories realtime="no" check_all="yes">/sbin</directories> > <directories realtime="no" check_all="yes">/usr/sbin</directories> > <directories realtime="no" > check_all="yes">/lib,/lib64,/usr/lib,/usr/lib64</directories> > <directories realtime="no" check_all="yes">/usr/local/bin</directories> > <directories realtime="no" check_all="yes">/usr/local/sbin</directories> > <directories realtime="no" check_all="yes">/usr/local/lib</directories> > <directories realtime="no" check_all="yes">/usr/local/lib64</directories> > <directories realtime="no" check_all="yes">/opt</directories> > </syscheck> > > The frequency should be 1 hour but when i look at the logfile i see a > frequency of 1 hour plus five minutes: > > 2019/01/25 01:19:45 ossec-syscheckd: INFO: Starting syscheck scan. > 2019/01/25 01:20:06 ossec-syscheckd: INFO: Ending syscheck scan. > 2019/01/25 02:25:06 ossec-syscheckd: INFO: Starting syscheck scan. > 2019/01/25 02:25:27 ossec-syscheckd: INFO: Ending syscheck scan. > 2019/01/25 03:30:27 ossec-syscheckd: INFO: Starting syscheck scan. > 2019/01/25 03:30:49 ossec-syscheckd: INFO: Ending syscheck scan. > 2019/01/25 04:35:49 ossec-syscheckd: INFO: Starting syscheck scan. > 2019/01/25 04:36:10 ossec-syscheckd: INFO: Ending syscheck scan. > 2019/01/25 05:41:10 ossec-syscheckd: INFO: Starting syscheck scan. > 2019/01/25 05:41:32 ossec-syscheckd: INFO: Ending syscheck scan. > > No matter which frequency value i am using it is always plus five minutes. > Enabling/Disabling realtime monitoring has no effect. > > Do i miss some settings? Are these 5 minutes intentional? >
It's not an exact timer. There are a number of sleeps in the code that might cause this, but I can't think of a specific one off hand. > Thanks for your help, > > Oliver > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
