In the Misc section of the configuration file, you can set the interval (in seconds) between succesive file checks:
SetFilecheckTime=
value
Alternatively, you can specify a crontab-like schedule with:
FileCheckScheduleOne=
schedule
The schedule follows the same rules as crontab(5) entries, with two noteable exceptions: (a) lists are not allowed, and (b) ranges of names (like Mon-Fri) are allowed. See man 5 crontab for details. You can specify a list of schedules, with separate FileCheckScheduleOne=... directives on separate lines.
![[Note]](stylesheet-images/note.png) | Note |
|---|---|
If you need a list in your schedule, you can either use steps (like */2 for 'every two minutes/hours/...), or you can specify a list of schedules, with separate FileCheckScheduleOne=... directives on separate lines. |
If you want to check some files rather often, while doing a more extensive check only sometimes, this is supported as follows:
Enclose all directories for the more extensive check in a %SCHEDULE_TWO ... !%SCHEDULE_TWO block like:
%SCHEDULE_TWO dir=/check/only/once/per/day !%SCHEDULE_TWO
Define an optional second schedule as follows (similar to FileCheckSchedule, you can specify a list of schedules):
FileCheckScheduleTwo=
schedule2
Rules:
All files and directories will always be checked at FileCheckScheduleTwo.
All single files (file=...) will always be checked at both FileCheckScheduleOne and FileCheckScheduleTwo (rationale: this is required to check for missing/added files in directories).
All directories outside the %SCHEDULE_TWO block will be checked at both FileCheckScheduleOne and FileCheckScheduleTwo.
All directories inside the %SCHEDULE_TWO block will be checked at FileCheckScheduleTwo only.
| Missing files |
|---|---|
If you are using a second schedule, the full check for missing files will only be done at FileCheckScheduleTwo. For paths directly defined in the configuration, e.g. with file=... , samhain will detect immediately if the file is missing, if the path is checked at FileCheckScheduleOne. |