Monitoring Settings

Default monitor mode - default_monitor_mode
The default startup option for monitor mode, either users or /usr/local/maldetect/monitor_paths (a file containing local paths to monitor). This option is REQUIRED for the systemd maldet.service script. That script only checks for the value of $default_monitor_mode. The service will fail to start if a value is not provided.
Default: users

Base watches - inotify_base_watches
The base number of files that can be watched under a path. (maximum file watches = inotify_base_watches*users)
Default: 16384

Sleep between monitor runs - inotify_sleep
The sleep time in seconds between monitor runs to scan files that have been created/modified/moved.
Default: 15

Config data reload interval - inotify_reloadtime
The interval in seconds that inotify will reload configuration data, including remote configuration imports.
Default: 3600

Minimum userid that will be added to user monitoring - inotify_minuid
The minimum userid that will be added to path monitoring when the USERS option is specified.
Default: 10000

Document root for users - inotify_docroot
This is the html/web root for users relative to homedir, when this option is set, users will only have the webdir monitored [ clear option to default monitor entire user homedir ]
Default: httpdocs

Process CPU scheduling priority - inotify_cpunice
Process CPU scheduling (nice) priority level for scan operations. [ -19 = high prio , 19 = low prio, default = 19 ]
Default: 18

Process IO scheduling priority - inotify_ionice
Process IO scheduling (ionice) priority levels for scan operations. (uses cbq best-effort scheduling class [-c2]). [ 0 = most favorable IO, 7 = least favorable IO ]
Default: 6

Process CPU usage limit - inotify_cpulimit
Set hard limit on CPU usage for inotify monitoring processes. This requires the "cpulimit" binary to be available on the server. The values are expressed as relative percentage * N cores on system. An 8 CPU core system would accept values from 0 - 800, a 12 cores system would accept 0 - 1200 etc.
Default: 0

Verbose - inotify_verbose
Log every file scanned by inotify monitoring mode; this is not recommended and will drown out your "event_log" file, intended only for debugging purposes.
Default: 0