Agent Syscheck Frequency Issue

23 views
Skip to first unread message

Yousif Johny

unread,
Nov 21, 2016, 7:34:04 AM11/21/16
to ossec-list
Hi all,

I've been having this weird issue with OSSEC. I setup an agent in one server, and things seem okay at first.

When I modify a file that is being monitored (/etc/passwd) I'd have to wait a significant time for it to trigger an alert (unless I manually run the syscheckd). So I went to /var/ossec/etc/ossec.conf (on the Server being monitored side) and modified  it as follows:

 <syscheck>
    <!-- Frequency that syscheck is executed - default to every 22 hours -->
    <frequency>30</frequency>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin</directories>


So the frequency is 30 (which I believe is in seconds).

Correct me if I'm wrong, but I thought this would mean the syscheck would run every 30 seconds? meaning if I modify a file, it'll take a max of 30 seconds for it to trigger an alert, right?

If so, then why is it not triggering? I've been waiting for minutes and minutes and nothing happens. This has been puzzling me.


Thank you.

dan (ddp)

unread,
Nov 21, 2016, 8:00:57 AM11/21/16
to ossec...@googlegroups.com
30 seconds is too small. Depending on the system, about 300 seems to
be the minimum.
The more files you're monitoring, the longer it will take, so the
higher the frequency that should be set.

>
> Thank you.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Jesus Linares

unread,
Nov 21, 2016, 12:50:30 PM11/21/16
to ossec-list
Hi Yousif,

as Dan said, the minimum is around 300 seconds. Do not set a lower value.

It is possible to improve the syscheck performance, changing this option in local_internal_options.conf:
syscheck.sleep=2  // change to 1 or 0
syscheck.sleep_after=15 // change for a greater value

By default, OSSEC sleeps 2 seconds after scanning 15 files.  If you change this configuration syscheck will be faster, but also it will use more resources, so it can impact in the performance of the agent.

Regards.
Reply all
Reply to author
Forward
0 new messages