Hi Thiago, Maybe this is not exactly an issue, if you have configured a large amount of files –or Windows Registry entries– to be monitored.
The thing is that Syscheck is actually sleeping most of the time, and does so in order not to congest the network. You can do some tuning on Syscheck settings: there are two parameters at file "/var/ossec/etc/internal_options.conf": syscheck.sleep=2 syscheck.sleep_after=15 syscheck.sleep means the number of seconds to sleep between "scanning stages". syscheck.sleep_after refers to the number of items to be scanned on each stage. Increasing or decreasing would improve performance but would attenuate reliability. If you have few agents (around 10) you may set these values: syscheck.sleep=1 syscheck.sleep_after=150 This would improve the scan speed up to 20x. I tested this scenario with 8 agents, with more than 99% packages received. Hope it help. Best regards. On Thursday, March 9, 2017 at 2:05:17 PM UTC-8, Thiago Campos wrote: > > Hi everyone! > > I'm having an issue. Syschek on windows agent is taking six hours to > perfom. > > --- Log on agent --- > > 2017/03/09 02:44:39 ossec-agent: INFO: Starting syscheck scan. > > 2017/03/09 08:24:18 ossec-agent: INFO: Ending syscheck scan. > > ------- > > Has anyone ever had this issue? > > Thanks, > > Thiago Campos > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
