v1.5 preview – scan_time and scan_day on syscheck

This is a feature that have been requested for a while and now is finally available. In the past, the only way to specify when rootcheck/syscheck was supposed to run was based on the frequency (every 10 hours or every 2 days, for example).

The default configuration would always look like:

<syscheck>
..
<frequency>86000</frequency>
..
</syscheck>

On version 1.5, we have two additional options: scan_time and scan_day. They allow you to run the scans on specific times or days of the week.

Example 1: Running syscheck/rootcheck every day at 11pm:

<syscheck>
..
<scan_time>23:00</scan_time>
..
</syscheck>

Example 2: Running syscheck/rootcheck tuesday, thursday and saturday at 9:30pm:

<syscheck>
..
<scan_time>9:30pm</scan_time>
<scan_day>tuesday, thursday, saturday</scan_day>
..
</syscheck>

Note that when you use scan_time and scan_day, the frequency is not going to be used. Hope you enjoy!

This entry was posted in ossec. Bookmark the permalink.

One Response to v1.5 preview – scan_time and scan_day on syscheck

  1. dan says:

    scan_day is throwing an error for me, copied right off this site:
    Starting OSSEC HIDS v1.5 (by Daniel B. Cid)…
    2008/05/09 00:07:00 ossec-syscheckd(1240): ERROR: Invalid time format: ‘tuesday, thursday, saturday-tuesday, thursday, saturday’.
    2008/05/09 00:07:00 ossec-syscheckd(1235): ERROR: Invalid value for element ‘scan_day’: tuesday, thursday, saturday.
    2008/05/09 00:07:00 ossec-syscheckd(1202): ERROR: Configuration error at ‘/var/ossec/etc/ossec.conf’. Exiting.
    2008/05/09 00:07:00 ossec-syscheckd(1202): ERROR: Configuration error at ‘/var/ossec/etc/ossec.conf’. Exiting.
    ossec-syscheckd: Configuration error. Exiting

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>