Issue #35 new

Syscheck agent.conf configurable random start window

Anonymous created an issue

see http://groups.google.com/group/ossec-list/browse_thread/thread/d206699fc007e220/e53b581ec3d62b06#e53b581ec3d62b06

BP9906
View profile
More options Feb 9, 12:04 pm Is it possible to have multiple start times for Syscheck?

I tried <scan_time>05:00,11:00,18:00</scan_time>

but the ossec agent complains about it. I'm going to try <scan_time>05:00</scan_time> <scan_time>11:00</scan_time> <scan_time>18:00</scan_time>

Just trying to find a happy medium here.

The problem is that if I use frequency to every 6-7 hrs it causes a UDP storm from 30+ machines for syscheck data on top of the usual alert sending. I've maxed out the buffer size on my linux kernel, ossec server agent count is very high, and the server can handle it, just that there's so much that the ossec server doesnt read the buffer fast enough for the data coming through so I get intermittent results/ data for the roughly 30 min window while all these machines send their syscheck results.

It would be nice to be able to give syscheck a random 2hr window to the start time to reduce this chance, or to be able to stagger out the machines in separate agent.conf configs based on multiple start times.

Reply     Reply to author      Forward

dan (ddp)
View profile
More options Feb 10, 5:34 am

  • Show quoted text -

I like the randomized start time idea. Something like "run every 6-ish hours, but start 1-30 minutes after the 6 hour mark."

Reply     Reply to author      Forward

Report spam

BP9906
View profile
More options Feb 10, 3:23 pm Yeah I agree. The random window is good. Would be good if it was configurable though because that window might not amount to much if you have a lot of agents at a particular interval. I think having an hour random time for me should be sufficient, but others might not like a whole hour.

On Feb 10, 5:34 am, "dan (ddp)" ddp...@gmail.com wrote:

  • Show quoted text -

    Reply Reply to author Forward

dan (ddp)
View profile
More options Feb 14, 7:18 am Agree, 100%.

Comments (0)

  1. Log in to comment