Thank you for the follow up on this. I am working on a solution to greatly improve the speed syscheck evaluate within anaylistd. If you are able to send me your full configuration including rules so I can *try* to reproduce this my self it would be great.
Sent from my iPhone On Sep 18, 2010, at 2:49 AM, Tate Hansen <t...@clearnetsec.com> wrote: > I believe I've discovered the elusive issue causing 1000s of agent > disconnects in _my_ environment for months. > > It was caused by the volume of file integrity events (“ossec syscheck”) -> > which caused ossec-analysisd to peg the CPU at 100% -> which then appears to > have caused agent disconnects. > > In a 24-hour period my environment could generate 75000+ file integrity > events. > > Instead of configuring ossec.conf with additional "file/directories" to > ignore, I had written rules (inside local_rules.xml) to simply reduce the > "level" to 0 (i.e. I wanted to have a forensic trail, but not be alerted). > > As soon as I added the directories containing the majority of file changes > to the ignore lines in ossec.conf -> restarted -> ossec-analysisd CPU > consumption plummeted and I have yet to see a single agent disconnect > message. > > Hope this helps others! > -Tate > > On 9/17/10 10:36 AM, "Tate Hansen" <t...@clearnetsec.com> wrote: > >> Have you observed any ossec process sustaining 100% cpu usage? >> >> On 9/16/10 11:28 PM, "bcube" <bryan.bin...@gmail.com> wrote: >> >>> They would all reconnect by themselves and stay connected for a few >>> hours then disconnect again. It's been like this for the past week. >>> >>> I've set the debug to level 2 on windows, syscheck, remoted etc.. on >>> the internal_options.conf but still cant see anything wrong. >>> >>> On Sep 17, 11:51 am, bcube <bryan.bin...@gmail.com> wrote: >>>> Hi Dan, >>>> >>>> -Version of server is 2.4 >>>> -Version for agents are mixed from 2.0 to 2.4 >>>> -Everything is working fine until Sep 9, 2010 >>>> >>>> I've checked on the logs but cant seem to find any possible indication >>>> as to what happened >>>> >>>> On Sep 17, 10:16 am, "ddp...@gmail.com" <ddp...@gmail.com> wrote: >>>> >>>>> What version of ossec? Did they ever work? Is there anything in the server >>>>> and agent ossec.log file that might provide a clue? >>>> >>>>> dan >>>> >>>>> -----Original Message----- >>>>> From: bcube >>>>> Sent: 09/16/2010 9:38:10 PM >>>>> Subject: [ossec-list] ossec agents disconnecting >>>> >>>>> We are experiencing the same issues as the thread below for 1 week >>>>> now. We have over 100+ agents mixed windows and linux. Will test the >>>>> recommendations below. >>>> >>>>> so far I set remoted.verify_msg_id=0 but still no effect. >>>>> Will try clearing the rids. >>>> >>>>> http://groups.google.com/group/ossec-list/browse_thread/thread/949c1b... >>> > >
