Issues with File Integrity Monitoring (Syscheck)

ossec / ossec-hids

OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

http://www.ossec.net

Other

4.33k stars 1.02k forks source link

Issues with File Integrity Monitoring (Syscheck) #2088

Closed Dylan818 closed 11 months ago

Dylan818 commented 1 year ago

Hi, I was trying to configure syscheck to occur every 60seconds instead of the default 22hours. However, after I changed it, as a proof of concept, i decided to add in a comment in the ossec.conf file. To my understanding, in 60seconds ossec should be able to pick up that the ossec.conf file has been modified and flag an alert but none was flagged in my case. Why could that be the case?

atomicturtle commented 1 year ago

Thats probably too low, my guess is what is happening is that the scan cant complete before it gets started again. You can see when syscheck finishes its scan in ossec.log. Also have you tried out the realtime setting?

Dylan818 commented 1 year ago

Ah, thank you. I have another question regarding the log analysis, does OSSEC only analyse logs from syslog? Or does it analyse from other log files as well?

atomicturtle commented 1 year ago

Oh yeah a ton of other formats, like the eventchannel on windows, or journald on linux.

atomicturtle commented 11 months ago

Closing this out as solved, but re-open this if it didnt cover your issue