Is it possible to have multiple start times for Syscheck?
I tried
<scan_time>05:00,11:00,18:00</scan_time>
but the ossec agent complains about it.
I'm going to try
<scan_time>05:00</scan_time>
<scan_time>11:00</scan_time>
<scan_time>18:00</scan_time>
Just trying to find a happy medium here.
The problem is that if I use frequency to every 6-7 hrs it causes a
UDP storm from 30+ machines for syscheck data on top of the usual
alert sending. I've maxed out the buffer size on my linux kernel,
ossec server agent count is very high, and the server can handle it,
just that there's so much that the ossec server doesnt read the buffer
fast enough for the data coming through so I get intermittent results/
data for the roughly 30 min window while all these machines send their
syscheck results.
It would be nice to be able to give syscheck a random 2hr window to
the start time to reduce this chance, or to be able to stagger out the
machines in separate agent.conf configs based on multiple start times.
