Closed Dylan818 closed 11 months ago
Thats probably too low, my guess is what is happening is that the scan cant complete before it gets started again. You can see when syscheck finishes its scan in ossec.log. Also have you tried out the realtime setting?
Ah, thank you. I have another question regarding the log analysis, does OSSEC only analyse logs from syslog? Or does it analyse from other log files as well?
Oh yeah a ton of other formats, like the eventchannel on windows, or journald on linux.
Closing this out as solved, but re-open this if it didnt cover your issue
Hi, I was trying to configure syscheck to occur every 60seconds instead of the default 22hours. However, after I changed it, as a proof of concept, i decided to add in a comment in the ossec.conf file. To my understanding, in 60seconds ossec should be able to pick up that the ossec.conf file has been modified and flag an alert but none was flagged in my case. Why could that be the case?