Open TheWizardUk opened 1 year ago
Hi @TheWizardUk ,
The frequency
option might be overlapping with your cron job because it set the new timer to trigger the scan when the last scan was finished, adding a "scan" offset and starting to have a skew compared to a wall clock.
On the other hand, syscheck
only allows setting one scan_time
. In your case, is only picking the last definition (
Unfortunately trying to replace frequency
option with multiple scan_time
is not currently available. But how about ignoring those "expected" files that were created by the cron task?
In case you strictly need this feature, please feel free to mark this issue as a Feature Request and explain this in a more explicit way.
I look forward to your comments. Nico
Hi Nico
Thanks for getting back to me,
that's exactly what's happening, on occasion the FIM scan time defined by frequency
runs the same time as the cronjob and causes the false positive alerts.
I have 40+ agents and they all run a cronjob every hour on the hour.
the script called every hour is to enable FIM from within a number of docker containers
the script finds running containers based on some criteria ( i.e. is running and the name contains foo + bar)
it then docker cp some files out of the containers and extracts some .jar files and places them into folders based on the container names.
on each run of the script, it deletes all the files and folders in the monitored DIR it gathered on the previous run
Wazuh is then configured to monitor that dir and sub dir based on frequency
and sha1 sums all the files
then alerts fire if the sha1sum has changed
what I see is, if the frequency
clashes with the cronjob Wazuh generates alerts for 'Delete' 'Add' and 'Modified'
I have suppressed email alerts for the add and delete, but naturally, emails are sent for the modified
also, the FIM dashboard looks a mess when this happened
so what I wanted to do was have my cronjob run on the hour and tell the Wazuh agent to scan every 30 minutes past the hour.
I look forward to your reply
Thanks Mike
sorry I'm not sure how to do this "mark this issue as a Feature Request "
Hi
I have an edge case when using the
<frequency></frequency>
variable it occasionally clashes with an overcomplicated script called hourly via a cron that the wazuh agent is running on this in turn is causing false positive alerts in FIMI, therefore, wanted to see if I could use something like the below where I define the days and times for the scans to run
the below seems to work as expected
however when introducing multiple scans like this
and when tailing the logs I see inconsistent results with the set scan times i.e. it does not scan every hour like I want
is it possible to define the days and multiple scans per day?
Thanks