On Fri, Nov 15, 2013 at 8:47 AM, Irena Zhekova <reni...@gmail.com> wrote: > Hi, > > I'm trying to configure real time notification of some servers. After > editing ossec.conf: > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>3600</frequency> > <alert_new_files>yes</alert_new_files> > <scan_on_start>no</scan_on_start> > <auto_ignore>no</auto_ignore> > <!-- Directories to check (perform all possible verifications) --> > <directories realtime="yes" report_changes="yes" > check_all="yes">/etc,/var/spool/cron</directories> > <directories realtime="yes" check_all="yes">/home/user123</directories> > <directories > check_all="yes">/home,/root,/usr,/bin,/sbin,/var/www</directories> > > > and restarting "/var/ossec/bin/ossec-control restart" I'm waiting to see in > ossec.log "Real time file monitoring started." > > But this takes too long: > > 2013/11/13 09:08:25 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2013/11/13 09:08:25 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2013/11/13 09:08:25 ossec-syscheckd: INFO: Initializing real time file > monitoring (not started). > 2013/11/13 09:09:47 ossec-syscheckd: ERROR: Unable to run diff for > /etc/prelink.cache > 2013/11/14 12:42:29 ossec-syscheckd: INFO: Real time file monitoring > started. > 2013/11/14 12:42:29 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2013/11/14 12:42:41 ossec-syscheckd: INFO: Ending syscheck scan (forwarding > database). > 2013/11/14 12:43:01 ossec-rootcheck: INFO: Starting rootcheck scan. > 2013/11/14 13:19:52 ossec-rootcheck: INFO: Ending rootcheck scan. > 2013/11/14 13:44:52 ossec-syscheckd: INFO: Starting syscheck scan. > > 2013/11/15 10:07:16 ossec-syscheckd: INFO: Starting syscheck scan > (forwarding database). > 2013/11/15 10:07:16 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2013/11/15 10:07:16 ossec-syscheckd: INFO: Initializing real time file > monitoring (not started). > 2013/11/15 12:33:19 ossec-syscheckd: WARN: Error opening directory: > '/var/lib/mysql': Too many levels of symbolic links > 2013/11/15 12:33:19 ossec-syscheckd: INFO: Finished creating syscheck > database (pre-scan completed). > 2013/11/15 12:33:31 ossec-syscheckd: INFO: Ending syscheck scan (forwarding > database). > 2013/11/15 12:33:51 ossec-syscheckd: INFO: Starting real time file > monitoring. > 2013/11/15 12:33:51 ossec-rootcheck: INFO: Starting rootcheck scan. > 2013/11/15 12:50:14 ossec-rootcheck: INFO: Ending rootcheck scan. > > Currently most of the time is spent adding /home/user123 directories for > realtime monitoring which are 2869. > Is there an obvious reason for this? It's mentioned in the documentation > that this process is taking no longer than 30 min. >
I will correct the documentation. Registering the files takes longer when there are more files. > Thanks, > Irena > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
