[Ossec-list] RE : Syscheck doesn't seem to work ?

[fcr-mailings at nerim.net (Fred)]

Thanks for the answer, Daniel.

I had put 60 seconds as frequency to test OSSEC HIDS, and on a test machine.
I hadn't noticed the lowest value of 3600 seconds...

Sorry, I want to go too fast sometimes.

Fred 

-----Original Message-----
From: Daniel Cid [mailto:daniel.cid at gmail.com] 
Sent: Thursday, April 06, 2006 5:06 PM
To: Fred
Cc: ossec-list at ossec.net
Subject: Re: [Ossec-list] Syscheck doesn't seem to work ?


Hi Fred,

Wait a little bit for the syscheck messages. Syscheck by default is
executed every 2 hours, with the minimum value being 1 hour
(3600 seconds). Scaning all your files every 60 seconds is not
a very good idea (it will kill your system performance). I could
probably lower this requirement to be any value, but I don't
think it is a good idea.

Some information about syscheck:
http://www.ossec.net/en/manual.html#syscheck_options

Thanks,

--
Daniel B. Cid
dcid @ ( at ) ossec.net
http://www.ossec.net


On 4/6/06, Fred <fcr-mailings at nerim.net> wrote:
> Hello,
>
> Well, I installed one agent and one server for tests.
>
> Problem is that system integrity doesn't seem to work:
>
>         1) on agent, I use:
>                 - frequency=60
>                 - directories=/etc/hosts (tried with /etc too)
>         2) I modify /etc/hosts, wait 2 minutes, then modify again
> /etc/hosts, wait 2 minutes again
>         3) I don't have any reporting emails...?
>
> I'm sure email reporting works: if I run "tcpdump" on agent machine,
server
> sends an alert email.
>
> Some informations:
>
>         - I run OSSEC HIDS 0.6p1
>         - Syscheckd is not "on" on server. Should I ? Only agent is
> interesting me.
>
> Thanks for your help.
>
> Fred
>
> _______________________________________________
> ossec-list mailing list
> ossec-list at ossec.net
> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
>