[ossec-list] syscheck can take months to report new or changed files

2016-10-17 Thread Sunny Day
Is there a hard limit on the rate at which syscheck will report new/changed files? I have roughly 120 clients reporting to one server. I see frequent occasions where new or changed files (sometimes with realtime enabled, sometimes not) seem to be reported by syscheck days, weeks, or even

Re: [ossec-list] Active response on server not working

2016-10-17 Thread Herman Harperink
That didn't work. Have to try something else. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options,

Re: [ossec-list] Re: Unexpected FIM behavior

2016-10-17 Thread dan (ddp)
On Fri, Oct 14, 2016 at 5:52 PM, Matt wrote: > Realtime monitoring seems to be working now that I've adjusted the scan > frequency. Earlier the scan frequency was 4 hours, then 10 minutes. It's now > 20 minutes and realtime now seems to work. I don't claim it makes sense, >

[ossec-list] Re: Unexpected FIM behavior

2016-10-17 Thread Victor Fernandez
Hi Matt, As we can see, Syscheck isn't very accurate with time for three main reasons: 1. In order not to impact the system performance, Syscheck sleeps two seconds for every 15 checked files. You can change this by changing the settings "syscheck.sleep" and "syscheck.sleep_after" at

Re: [ossec-list] Active response on server not working

2016-10-17 Thread dan (ddp)
On Mon, Oct 17, 2016 at 9:02 AM, Herman Harperink wrote: >> Been testing a little more with this. With all all >> agents get updated, except for the server. On the server AR just does not >> work like that. > > Offcourse, with local it works on the server. > > So,

Re: [ossec-list] Active response on server not working

2016-10-17 Thread Herman Harperink
> > Been testing a little more with this. With all all > agents get updated, except for the server. On the server AR just does not > work like that. > Offcourse, with local it works on the server. So, when you want to protect all your agents from the same attackers, you'll be left with a

[ossec-list] Re: Question:Edit/change agent's IP Address

2016-10-17 Thread Victor Fernandez
Hi, Do you refer to changing the agent's IP on registering at manage_agents? In that case you may use the word *"any"* when the program asks for the IP address: $ sudo /var/ossec/bin/manage_agents > > * OSSEC HIDS v2.9.0 Agent manager. * > * The