ossec.conf: Syscheck Options


Supported types

Syscheck options are available in the the following installation types:

  • server
  • local
  • agent


All global options must be configured in the /var/ossec/etc/ossec.conf and used within the <ossec_config> tag.

XML excerpt to show location:

        Syscheck options here



Use this option to add or remove directories to be monitored (they must be comma separated). All files and subdirectories will also be monitored. Drive letters without directories are not valid. At a minimum the ‘.’ should be included (D:\.). This should be set on the system you wish to monitor (or in the agent.conf if appropriate).

Default: /etc,/usr/bin,/usr/sbin,/bin,/sbin


  • realtime: Value=yes

    • This will enable realtime/continuous monitoring on Linux (using the inotify system calls) and Windows systems.
  • report_changes: Value=yes

    • Report diffs of file changes. This is limited to text files at this time.


    This option is only available on Unix-like systems.

  • check_all: Value=yes

    • All the following check_* options are used together.
  • check_sum: Value=yes

    • Check the md5 and sha1 hashes of the of the files will be checked.

      This is the same as using both check_sha1sum=”yes” and check_md5sum=”yes”

  • check_sha1sum: Value=yes

    • When used only the sha1 hash of the files will be checked.
  • check_md5sum: Value=yes

    • The md5 hash of the files will be checked.
  • check_size: Value=yes

    • The size of the files will be checked.
  • check_owner: Value=yes

    • Check the owner of the files selected.
  • check_group: Value=yes

    • Check the group owner of the files/directories selected.
  • check_perm: Value=yes

    • Check the UNIX permission of the files/directories selected. On windows this will only check the POSIX permissions.
  • restrict: Value=string

    • A string that will limit checks to files containing that string in the file name.

    Allowed: Any directory or file name (but not a path)


List of files or directories to be ignored (one entry per element). The files and directories are still checked, but the results are ignored.

Default: /etc/mtab


  • type: Value=sregex

    • This is a simple regex pattern to filter out files so alerts are not generated.

Allowed: Any directory or file name


Frequency that the syscheck is going to be executed (in seconds).

The default is 6 hours or 21600 seconds

Default: 21600

Allowed: Time in seconds


Time to run the scans (can be in the formats of 21pm, 8:30, 12am, etc)

Allowed: Time to run scan


Day of the week to run the scans (can be in the format of sunday, saturday, monday, etc)

Allowed: Day of the week


Specifies if syscheck will ignore files that change too often (after the third change)

Default: yes

Allowed: yes/no

Valid: server, local


Specifies if syscheck should alert on new files created.

Default: no

Allowed: yes/no

Valid: server, local


New files will only be detected on a full scan, this option does not work in realtime.


Specifies if syscheck should do the first scan as soon as it is started.

Default: yes

Allowed: yes/no


Use this option to add Windows registry entries to be monitored (Windows-only).


Allowed: Any registry entry (one per element)


New entries will not trigger alerts, only changes to existing entries.


List of registry entries to be ignored.

Default: ..CryptographyRNG

Allowed: Any registry entry (one per element)


Command to run to prevent prelinking from creating false positives.


<prefilter_cmd>/usr/sbin/prelink -y</prefilter_cmd>


This option can potentially impact performance negatively. The configured command will be run for each and every file checked.


Specifies if syscheck should scan network mounted filesystems. Works on Linux and FreeBSD. Currently skip_nfs will abort checks running against CIFS or NFS mounts.

Default: no

Allowed: yes/no