Re: [ossec-list] Re: Unexpected FIM behavior

2016-10-25 Thread dan (ddp)
On Tue, Oct 25, 2016 at 1:05 PM, Matt wrote: > I posted the agent ossec.conf on the windows server in my first posting, > here is how it's presently configured. > > > > > 16200 If the agent isn't respecting the frequency in its ossec.conf, this is a problem.

Re: [ossec-list] Re: Unexpected FIM behavior

2016-10-25 Thread Matt
I posted the agent ossec.conf on the windows server in my first posting, here is how it's presently configured. 16200 yes no no -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this

Re: [ossec-list] Re: Unexpected FIM behavior

2016-10-25 Thread dan (ddp)
On Tue, Oct 25, 2016 at 12:29 PM, Matt wrote: > It's my understanding it needed to be configure don the agent? Following is What needed to be configured on the agent? Which specific settings were you referencing in your previous email? Some settings get set on the agent, some

Re: [ossec-list] Re: Unexpected FIM behavior

2016-10-25 Thread Matt
It's my understanding it needed to be configure don the agent? Following is anything I can see as remotely pertinent in the Ossec.conf file on the OSSEC server. I'm not including sections referencing the rules and directories to monitor and ignore (which I didn't modify). yes 5000

Re: [ossec-list] Re: Unexpected FIM behavior

2016-10-25 Thread dan (ddp)
On Tue, Oct 25, 2016 at 11:03 AM, Matt wrote: > I can definitely confirm that the FIM scan ISN'T paying attention to the > ossec.conf file on the Windows agent. Instead it is running based off the > config of the OSSEC Master server. Pasting in config from windows agent. >

Re: [ossec-list] Re: Unexpected FIM behavior

2016-10-25 Thread Matt
I can definitely confirm that the FIM scan ISN'T paying attention to the ossec.conf file on the Windows agent. Instead it is running based off the config of the OSSEC Master server. Pasting in config from windows agent. And I did add the new file and ignore flag to the master, just didn't

Re: [ossec-list] Re: Unexpected FIM behavior

2016-10-25 Thread Matt
I can not definitely confirm that the FIM scan ISN'T paying attention to the ossec.conf file on the Windows agent. Instead it is running based off the config of the OSSEC Master server. Pasting in config from windows agent. And I did add the new file and ignore flag to the master, just didn't

Re: [ossec-list] Re: Unexpected FIM behavior

2016-10-19 Thread dan (ddp)
On Oct 19, 2016 12:08 PM, "Matt" wrote: > > Thank you both, I appreciate it. > > I added the config to the global file instead of the local file. > > So, I think realtime is behaving now, but not the rest. It's my understanding the scan frequency for the agent is set on the

[ossec-list] Re: Unexpected FIM behavior

2016-10-19 Thread Matt
Thank you both, I appreciate it. I added the config to the global file instead of the local file. So, I think realtime is behaving now, but not the rest. It's my understanding the scan frequency for the agent is set on the agent, not the global level. I've set the agent to about an hour, but

Re: [ossec-list] Re: Unexpected FIM behavior

2016-10-17 Thread dan (ddp)
On Fri, Oct 14, 2016 at 5:52 PM, Matt wrote: > Realtime monitoring seems to be working now that I've adjusted the scan > frequency. Earlier the scan frequency was 4 hours, then 10 minutes. It's now > 20 minutes and realtime now seems to work. I don't claim it makes sense, >

[ossec-list] Re: Unexpected FIM behavior

2016-10-17 Thread Victor Fernandez
Hi Matt, As we can see, Syscheck isn't very accurate with time for three main reasons: 1. In order not to impact the system performance, Syscheck sleeps two seconds for every 15 checked files. You can change this by changing the settings "syscheck.sleep" and "syscheck.sleep_after" at

[ossec-list] Re: Unexpected FIM behavior

2016-10-14 Thread Matt
I've changed the scan frequency to 40 minutes, and realtime isn't working. I've edited files 2 times, nothing. Hopefully it at least fires off when the next scan happens. On Friday, October 14, 2016 at 11:06:53 AM UTC-7, Matt wrote: > Hello, > > I just installed OSSEC in the Azure space,

[ossec-list] Re: Unexpected FIM behavior

2016-10-14 Thread Matt
Realtime monitoring seems to be working now that I've adjusted the scan frequency. Earlier the scan frequency was 4 hours, then 10 minutes. It's now 20 minutes and realtime now seems to work. I don't claim it makes sense, it's just what I'm observing. Ok I've discovered that the config doesn't