Hi, Running OSSEC version 1.5.1 - Windows 2003. It is maxing out the processor and then drops to about 70% where it stays, this is the same on 4 systems I've tested this on. The system becomes unusable till you stop ossec. I have tried editing internal_options.conf to increase performance but nothing changes. As soon as you start the agent the system grinds to a halt until you stop it.
Snippet from the log on this agent, I disabled syscheck completely but still no performance increase: 2008/07/04 17:13:54 ossec-agent: Exiting... 2008/07/07 11:54:18 ossec-agent(1410): INFO: Reading authentication keys file. 2008/07/07 11:54:18 ossec-agent: INFO: Assigning counter for agent xxxxxx: '0:3410'. 2008/07/07 11:54:18 ossec-agent: INFO: Assigning sender counter: 3101:4279 2008/07/07 11:54:20 ossec-agent: INFO: Connecting to server (x.x.x.x:1514). 2008/07/07 11:54:20 ossec-agent: Starting syscheckd thread. 2008/07/07 11:54:20 ossec-agent: WARN: Syscheck disabled. 2008/07/07 11:54:20 ossec-rootcheck: INFO: Started (pid: 19556). 2008/07/07 11:54:20 ossec-agent: INFO: Started (pid: 19556). 2008/07/07 11:54:21 ossec-agent(4102): INFO: Connected to the server. 2008/07/07 11:54:21 ossec-agent(1951): INFO: Analyzing event log: 'Application'. 2008/07/07 11:54:22 ossec-agent(1951): INFO: Analyzing event log: 'Security'. 2008/07/07 11:54:22 ossec-agent: No directories to check. 2008/07/07 11:54:26 ossec-agent(1951): INFO: Analyzing event log: 'System'. 2008/07/07 11:54:27 ossec-agent(1952): INFO: Monitoring variable log file: 'C:\WINDOWS\System32\LogFiles\W3SVC1\ex080707.log'. 2008/07/07 11:54:27 ossec-agent(1103): ERROR: Unable to open file 'C:\WINDOWS\System32\LogFiles\W3SVC1\ex080707.log'. 2008/07/07 11:54:27 ossec-agent(1950): INFO: Analyzing file: 'C:\WINDOWS\System32\LogFiles\W3SVC1\ex080707.log'. 2008/07/07 11:54:27 ossec-agent: INFO: Started (pid: 19556). 2008/07/07 11:55:43 ossec-agent: INFO: Event count after '20000': 11037966->6639208 (60%) 2008/07/07 11:56:55 ossec-agent: INFO: Event count after '20000': 11039041->6639680 (60%) 2008/07/07 11:58:06 ossec-agent: INFO: Event count after '20000': 11036431->6638560 (60%) 2008/07/07 11:59:18 ossec-agent: INFO: Event count after '20000': 11032330->6636840 (60%) 2008/07/07 12:00:29 ossec-agent: INFO: Event count after '20000': 11038856->6639648 (60%) 2008/07/07 12:01:41 ossec-agent: INFO: Event count after '20000': 11036342->6638576 (60%) 2008/07/07 12:02:57 ossec-agent: INFO: Event count after '20000': 11031682->6636456 (60%) 2008/07/07 12:04:18 ossec-agent: INFO: Event count after '20000': 11033334->6637288 (60%) 2008/07/07 12:05:33 ossec-agent: INFO: Event count after '20000': 11032210->6636848 (60%) 2008/07/07 12:06:44 ossec-agent: INFO: Event count after '20000': 11031915->6636584 (60%) 2008/07/07 12:07:58 ossec-agent: INFO: Event count after '20000': 11039786->6640128 (60%) This continues on in the log with no other entries. Any ideas?
