[an error occurred while processing this directive]

6. Timing file checks

In the Misc section of the configuration file, you can set the interval (in seconds) between succesive file checks:

SetFilecheckTime= value

Alternatively, you can specify a crontab-like schedule with:

FileCheckScheduleOne= schedule

The schedule follows the same rules as crontab(5) entries, with two noteable exceptions: (a) lists are not allowed, and (b) ranges of names (like Mon-Fri) are allowed. See man 5 crontab for details. You can specify a list of schedules, with separate FileCheckScheduleOne=... directives on separate lines.

[Note]Note

If you need a list in your schedule, you can either use steps (like */2 for 'every two minutes/hours/...), or you can specify a list of schedules, with separate FileCheckScheduleOne=... directives on separate lines.

6.1. Using a second schedule

If you want to check some files rather often, while doing a more extensive check only sometimes, this is supported as follows:

  • Enclose all directories for the more extensive check in a %SCHEDULE_TWO ... !%SCHEDULE_TWO block like:

    		%SCHEDULE_TWO
    		dir=/check/only/once/per/day
    		!%SCHEDULE_TWO
    	      
  • Define an optional second schedule as follows (similar to FileCheckSchedule, you can specify a list of schedules):

    FileCheckScheduleTwo= schedule2

Rules:

  1. All files and directories will always be checked at FileCheckScheduleTwo.

  2. All single files (file=...) will always be checked at both FileCheckScheduleOne and FileCheckScheduleTwo (rationale: this is required to check for missing/added files in directories).

  3. All directories outside the %SCHEDULE_TWO block will be checked at both FileCheckScheduleOne and FileCheckScheduleTwo.

  4. All directories inside the %SCHEDULE_TWO block will be checked at FileCheckScheduleTwo only.

[Note]Missing files

If you are using a second schedule, the full check for missing files will only be done at FileCheckScheduleTwo. For paths directly defined in the configuration, e.g. with file=... , samhain will detect immediately if the file is missing, if the path is checked at FileCheckScheduleOne.

[an error occurred while processing this directive]