Is there a hard limit on the rate at which syscheck will report new/changed
files?
I have roughly 120 clients reporting to one server. I see frequent
occasions where new or changed files (sometimes with realtime enabled,
sometimes not) seem to be reported by syscheck days, weeks, or even
That didn't work. Have to try something else.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options,
On Fri, Oct 14, 2016 at 5:52 PM, Matt wrote:
> Realtime monitoring seems to be working now that I've adjusted the scan
> frequency. Earlier the scan frequency was 4 hours, then 10 minutes. It's now
> 20 minutes and realtime now seems to work. I don't claim it makes sense,
>
Hi Matt,
As we can see, Syscheck isn't very accurate with time for three main
reasons:
1. In order not to impact the system performance, Syscheck sleeps two
seconds for every 15 checked files. You can change this by changing the
settings "syscheck.sleep" and "syscheck.sleep_after" at
On Mon, Oct 17, 2016 at 9:02 AM, Herman Harperink
wrote:
>> Been testing a little more with this. With all all
>> agents get updated, except for the server. On the server AR just does not
>> work like that.
>
> Offcourse, with local it works on the server.
>
> So,
>
> Been testing a little more with this. With all all
> agents get updated, except for the server. On the server AR just does not
> work like that.
>
Offcourse, with local it works on the server.
So, when you want to protect all your agents from the same attackers,
you'll be left with a
Hi,
Do you refer to changing the agent's IP on registering at manage_agents?
In that case you may use the word *"any"* when the program asks for the IP
address:
$ sudo /var/ossec/bin/manage_agents
>
> * OSSEC HIDS v2.9.0 Agent manager. *
> * The