On Fri, Feb 7, 2014 at 1:27 PM, Sean Jackson <[email protected]> wrote: > On my server, this is the setting I have: > > <syscheck> > <!-- Frequency that syscheck is executed -- default every 20 hours --> > <!-- 15 min = 900 --> > <!-- 20 hours = 72000 --> > <frequency>300</frequency> > > And on the shared agent.conf, this is what I have: > > <syscheck> > <!-- Frequency that syscheck is executed - default to every 22 hours --> > <frequency>300</frequency> >
Check the ossec.conf on the agent as well. > Per my understanding, the agents and server should all be scanning every 5 > minutes. Am I incorrect? > About every 5 minutes, sure. How often are the scans actually running? You should be able to find this in the ossec.conf. > > > > > On Thursday, February 6, 2014 1:05:11 PM UTC-7, Sean Jackson wrote: >> >> These emails come during the morning, and the on-call guys are weary from >> getting them when they come. >> >> Can anyone help me tune OSSEC so they come closer to when changes were >> made (the changes in these examples happened 12-14 hours earlier)? >> >> OSSEC HIDS Notification. >> 2014 Feb 06 04:40:34 >> >> Received From: (xxxxxxxxxx) XXX.XX.58.194->syscheck >> Rule: 550 fired (level 7) -> "Integrity checksum changed." >> Portion of the log(s): >> >> Integrity checksum changed for: '/usr/bin/git-check-attr' >> Size changed from '1412976' to '1417808' >> Old md5sum was: '10dfa23bcacb1913419d4ca65a6442e2' >> New md5sum is : 'd59af7c52c919ad764b9a7c6ee9e997a' >> Old sha1sum was: '67ec1ab51b102638a4dbfdda2e5e0e38a29b0a5b' >> New sha1sum is : '9241833f9901325ac39916b95cfa192d24a2cb20' >> >> >> >> --END OF NOTIFICATION >> >> >> >> OSSEC HIDS Notification. >> 2014 Feb 06 04:40:38 >> >> Received From: (xxxxxxxx) XXX.XX.58.194->syscheck >> Rule: 550 fired (level 7) -> "Integrity checksum changed." >> Portion of the log(s): >> >> Integrity checksum changed for: '/usr/bin/git-merge' >> Size changed from '1412976' to '1417808' >> Old md5sum was: '10dfa23bcacb1913419d4ca65a6442e2' >> New md5sum is : 'd59af7c52c919ad764b9a7c6ee9e997a' >> Old sha1sum was: '67ec1ab51b102638a4dbfdda2e5e0e38a29b0a5b' >> New sha1sum is : '9241833f9901325ac39916b95cfa192d24a2cb20' >> >> >> >> --END OF NOTIFICATION >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
