Thanks that helped a lot and definitely speed it up. We went from several hours to 4 minutes now. This includes our entire webapp
Is there a way to speed up rootcheck? That is the longest part of the scan that takes 15 minutes now, so the whole process takes approx 20 minutes now. But I would like to either disable root check when you send for example the following command: /var/ossec/bin/agent_control -r -u 1027 The main reason is anytime we deploy I want to follow what is in the doc, stop ossec on manager, then clear database and run a new baseline, but trying to speed up the process. If there is a way to disable rootcheck when I do that command? I need to do that becuase otherwise I will get tons of emails every time we do a deploy. Thanks On Wednesday, June 7, 2017 at 11:36:13 AM UTC-4, Jesus Linares wrote: > > Hi John, > > there is a way to speed up syscheck. By default *syscheck sleeps 2 > seconds each 15 files*. This avoid packet loss due to UDP. You can > overwrite this configuration in *local_internal_options.conf*: > > $ nano /var/ossec/etc/local_internal_options.conf > > syscheck.sleep=1 > syscheck.sleep_after=150 > > > This is 20 times faster than the default configuration. I would not > increase these values more than 1 - 150. > > How many files are you scanning?. Remember that syscheck is only for > important files. > > In *ossec.log *you should see something like: > > 2017/06/07 14:21:51 ossec-syscheckd: INFO: Starting syscheck scan > ... > 2017/06/07 14:27:19 ossec-syscheckd: INFO: Ending syscheck scan > > > I hope it helps. > Regards. > > > On Wednesday, June 7, 2017 at 4:54:07 PM UTC+2, jose wrote: >> >> Hi John >> >> You cannot speed the syscheck, but you can always add the option >> *realtime* for your more important folders, with this option you will >> have the alerts in “real time” :) >> >> >> https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html?highlight=realtime >> >> >> Regards >> ----------------------- >> Jose Luis Ruiz >> Wazuh Inc. >> jo...@wazuh.com >> >> On June 7, 2017 at 10:15:19 AM, John Kondur (kongf...@gmail.com) wrote: >> >> Thanks I did find it that did help, >> >> I had two more questions not sure if I should start another thread: >> >> I had frequency set on the agents to: >> >> <frequency>7200</frequency> >> >> I looked in the ossec.log and it never kicked off, and it has been 15 >> hours since the last scan finished. I restarted the agent and it kicked >> off but any idea what might not start it? >> >> >> >> Second question: >> >> The scans seem to take a very long time, I ran it and it takes 4 hours on >> one of my web servers. Is it the size of the files or the number of files >> that determines the scan and is there anyway to speed it up? >> >> >> Thanks >> >> >> >> On Wednesday, June 7, 2017 at 5:21:01 AM UTC-4, Jesus Linares wrote: >>> >>> Review the ossec.conf of the agent 1027. You should see a log for >>> starting/ending rootcheck and syscheck. >>> >>> I hope it helps. >>> >>> On Tuesday, June 6, 2017 at 9:17:11 PM UTC+2, John Kondur wrote: >>>> >>>> Thanks but unfortunately all it shows is the following: >>>> >>>> >>>> OSSEC HIDS agent_control. Agent information: >>>> Agent ID: 1027 >>>> Agent Name: server1 >>>> IP address: any/any >>>> Status: Active >>>> >>>> Operating system: Linux 4.4. >>>> Client version: OSSEC HIDS v2.8.3 / >>>> 6322ee12ea9a05951f97923a8341a01a >>>> Last keep alive: Tue Jun 6 19:10:59 2017 >>>> >>>> Syscheck last started at: Tue Jun 6 18:19:23 2017 >>>> Rootcheck last started at: Tue Jun 6 18:41:54 2017 >>>> >>>> >>>> It just shows last started, but never shows when it completes. >>>> >>>> >>>> On Tuesday, June 6, 2017 at 4:42:52 AM UTC-4, Jesus Linares wrote: >>>>> >>>>> Hi John, >>>>> >>>>> I think it should appear in */var/ossec/bin/agent_control -i 1027.* >>>>> Also, you can review the ossec.conf of your agent. >>>>> >>>>> Regards. >>>>> >>>>> On Monday, June 5, 2017 at 6:24:14 PM UTC+2, John Kondur wrote: >>>>>> >>>>>> I just started to use ossec, and was doing some testing by making >>>>>> some changes in a file in a directory, and then I run from the server: >>>>>> >>>>>> >>>>>> /var/ossec/bin/agent_control -r -a >>>>>> >>>>>> >>>>>> if I do a query on the agent: >>>>>> >>>>>> >>>>>> >>>>>> /var/ossec/bin/agent_control -i 1027 >>>>>> >>>>>> >>>>>> >>>>>> It will show last time it started but never shows when it completes? >>>>>> Is there a process or way to check to see if it completed or am I not >>>>>> waiting long enough? So far I am not seeing ossec pick up that the file >>>>>> changes. >>>>>> >>>>>> Thanks >>>>>> >>>>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to ossec-list+...@googlegroups.com. >> For more options, visit https://groups.google.com/d/optout. >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
