Do you know how much events/logs it created per second? On the agent side it should be able to easily handle many thousands of logs per second without any tunning...
thanks, On Sat, Jan 8, 2011 at 1:37 PM, jplee3 <jpl...@gmail.com> wrote: > Hi all, > > We experienced 90%+ utliziation from the ossec-agentd on a couple > servers this morning and I was able to trace it to a log file that > grew extremely large in a relatively short time window (1gb of growth > within a 2-3 hour time window). After removing the log for OSSEC to > monitor, agentd quieted down. Prior to this the systems were almost to > the point of being hosed. This is on Linux btw. I read an article > mentioning excessive # of events at least in Windows will be the > catalyst of issues like this. > > In any case, is there a breakdown on what OSSEC's limitation/capacity > is in respect to this? Of course, I'm sure it's partly dependent on > hardware capacity. One of the servers, in the same load-balanced vip, > did not experience these symptoms. The difference is that this > particular server is running on leveled-up hardware (DL380 G4 versus > the ones with issues: DL360 G4's) and and a newer OS. I believe the > DL360 G4's are both running 2.6.12-1.1372_FC3smp (Fedora Core 3?!?!?!) > while the DL380 G4 is on RH (not sure which version but if I had to > guess a more recent version of RHEL). > > Besides the 'obvious' rhetoric: "upgrade your hardware and software!" > - is there any other possible avenues to investigate with why the > ossec-agentd was unable to handle the volume of log growth? Obviously > it's the rate at which events are generated in the logs as we > understand that OSSEC does not read in the entire file at once, etc > > Any ideas or suggestions? > > > TIA! > >
