Syscheck agent.conf multiple start times
127 views
Skip to first unread message
BP9906
Feb 9, 2012, 3:04:59 PM2/9/12
to ossec-list
Is it possible to have multiple start times for Syscheck?
I tried
<scan_time>05:00,11:00,18:00</scan_time>
but the ossec agent complains about it.
I'm going to try
<scan_time>05:00</scan_time>
<scan_time>11:00</scan_time>
<scan_time>18:00</scan_time>
Just trying to find a happy medium here.
The problem is that if I use frequency to every 6-7 hrs it causes a
UDP storm from 30+ machines for syscheck data on top of the usual
alert sending. I've maxed out the buffer size on my linux kernel,
ossec server agent count is very high, and the server can handle it,
just that there's so much that the ossec server doesnt read the buffer
fast enough for the data coming through so I get intermittent results/
data for the roughly 30 min window while all these machines send their
syscheck results.
It would be nice to be able to give syscheck a random 2hr window to
the start time to reduce this chance, or to be able to stagger out the
machines in separate agent.conf configs based on multiple start times.
I tried
<scan_time>05:00,11:00,18:00</scan_time>
but the ossec agent complains about it.
I'm going to try
<scan_time>05:00</scan_time>
<scan_time>11:00</scan_time>
<scan_time>18:00</scan_time>
Just trying to find a happy medium here.
The problem is that if I use frequency to every 6-7 hrs it causes a
UDP storm from 30+ machines for syscheck data on top of the usual
alert sending. I've maxed out the buffer size on my linux kernel,
ossec server agent count is very high, and the server can handle it,
just that there's so much that the ossec server doesnt read the buffer
fast enough for the data coming through so I get intermittent results/
data for the roughly 30 min window while all these machines send their
syscheck results.
It would be nice to be able to give syscheck a random 2hr window to
the start time to reduce this chance, or to be able to stagger out the
machines in separate agent.conf configs based on multiple start times.
dan (ddp)
Feb 10, 2012, 8:34:27 AM2/10/12
to ossec...@googlegroups.com
I like the randomized start time idea. Something like "run every 6-ish
hours, but start 1-30 minutes after the 6 hour mark."
BP9906
Feb 10, 2012, 6:23:43 PM2/10/12
to ossec-list
Yeah I agree. The random window is good. Would be good if it was
configurable though because that window might not amount to much if
you have a lot of agents at a particular interval. I think having an
hour random time for me should be sufficient, but others might not
like a whole hour.
On Feb 10, 5:34 am, "dan (ddp)" <ddp...@gmail.com> wrote:
configurable though because that window might not amount to much if
you have a lot of agents at a particular interval. I think having an
hour random time for me should be sufficient, but others might not
like a whole hour.
On Feb 10, 5:34 am, "dan (ddp)" <ddp...@gmail.com> wrote:
dan (ddp)
Feb 14, 2012, 10:18:17 AM2/14/12
to ossec...@googlegroups.com
Agree, 100%.
BP9906
Feb 15, 2012, 4:08:17 PM2/15/12
to ossec-list
Added it to bitbucket.
https://bitbucket.org/dcid/ossec-hids/issue/35/syscheck-agentconf-configurable-random
Hopefully something we could get added in a near release. :)
https://bitbucket.org/dcid/ossec-hids/issue/35/syscheck-agentconf-configurable-random
Hopefully something we could get added in a near release. :)
Weezel
Feb 16, 2012, 1:41:30 PM2/16/12
to ossec-list
> > >> > The problem is that if I use frequency to every 6-7 hrs it causes a
> > >> > UDP storm from 30+ machines for syscheck data on top of the usual
> > >> > alert sending. I've maxed out the buffer size on my linux kernel,
> > >> > ossec server agent count is very high, and the server can handle it,
> > >> > just that there's so much that the ossec server doesnt read the buffer
> > >> > fast enough for the data coming through so I get intermittent results/
> > >> > data for the roughly 30 min window while all these machines send their
> > >> > syscheck results.
>
config affect syscheck logging from client to server? If so, would
that solve your problem?
Jousseaume Philippe
Jun 5, 2012, 11:55:00 AM6/5/12
to ossec...@googlegroups.com
Bonjour,
When adding a client to OSSEC Server, i get the following log
2012/06/05 17:45:31 ossec-remoted(1403): ERROR: Incorrectly formated message from '172.17.10.140'.
Could you help me ?
Thanks for your answers ?
Cordialement.
Philippe JOUSSEAUME
Institut national de la propriété industrielle DSI
System Engeneer
32, rue des Trois Fontanot
F-92016 Nanterre - FRANCE
pjous...@inpi.fr
INPI - On gagne tous à innover.
www.inpi.fr
Jousseaume Philippe
Jun 5, 2012, 11:56:17 AM6/5/12
to ossec...@googlegroups.com
I’ve yet deleted the client before, then added it after.
Cordialement.
Philippe JOUSSEAUME
Institut national de la propriété industrielle DSI
Ingénieur Système
32, rue des Trois Fontanot
De : Jousseaume Philippe
Envoyé : mardi 5 juin 2012 17:55
À : 'ossec...@googlegroups.com'
Objet : adding a client to OSSEC Server
dan (ddp)
Jun 5, 2012, 12:25:46 PM6/5/12
to ossec...@googlegroups.com
2012/6/5 Jousseaume Philippe <pjous...@inpi.fr>:
crystal ball, here are some basic questions:
Have you ever had a working agent for this server?
How many agents do you have configured on this server?
Is 172.17.10.140 the IP of the agent you entered in manage_agents on the server?
Restart the OSSEC processes on the server.
Try reinstalling the key on the agent. Make sure the entire string is copied.
Restart the OSSEC processes on the agent.
Delete the agent on the server, restart the server's OSSEC processes,
create a new agent, restart the server's OSSEC processes, install the
key on the agent, restart the agent's OSSEC processes.
> Bonjour,
>
>
>
> When adding a client to OSSEC Server, i get the following log
>
>
>
> 2012/06/05 17:45:31 ossec-remoted(1403): ERROR: Incorrectly formated message
> from '172.17.10.140'.
>
You didn't give us much to go on. Since it's not my week to have the
>
>
>
> When adding a client to OSSEC Server, i get the following log
>
>
>
> 2012/06/05 17:45:31 ossec-remoted(1403): ERROR: Incorrectly formated message
> from '172.17.10.140'.
>
crystal ball, here are some basic questions:
Have you ever had a working agent for this server?
How many agents do you have configured on this server?
Is 172.17.10.140 the IP of the agent you entered in manage_agents on the server?
Restart the OSSEC processes on the server.
Try reinstalling the key on the agent. Make sure the entire string is copied.
Restart the OSSEC processes on the agent.
Delete the agent on the server, restart the server's OSSEC processes,
create a new agent, restart the server's OSSEC processes, install the
key on the agent, restart the agent's OSSEC processes.
Reply all
Reply to author
Forward
0 new messages