Hi all,
I've been having this weird issue with OSSEC. I setup an agent in one server, and things seem okay at first.
When I modify a file that is being monitored (/etc/passwd) I'd have to wait a significant time for it to trigger an alert (unless I manually run the syscheckd). So I went to /var/ossec/etc/ossec.conf (on the Server being monitored side) and modified it as follows:
<syscheck>
<!-- Frequency that syscheck is executed - default to every 22 hours -->
<frequency>30</frequency>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin</directories>
So the frequency is 30 (which I believe is in seconds).
Correct me if I'm wrong, but I thought this would mean the syscheck would run every 30 seconds? meaning if I modify a file, it'll take a max of 30 seconds for it to trigger an alert, right?
If so, then why is it not triggering? I've been waiting for minutes and minutes and nothing happens. This has been puzzling me.
Thank you.