I've verified this issue on two CentOS 5.6 servers now: 1. OSSEC Server installation with ~40 agents. Attaching strace to the ossec-analysisd process shows that it's receiving syscheck info (filenames and hashes) from some of the OSSEC agents. 2. OSSEC local installation. Attaching strace to the ossec-analysisd process shows that it's receiving syscheck info (filenames and hashes) from some of the local files. (Of course, this doesn't cause the agents to disconnect since it is a local installation and there are no agents.)
Thanks, -- Doug Burks, GSE, CISSP President, Greater Augusta ISSA http://augusta.issa.org http://securityonion.blogspot.com On Thu, May 19, 2011 at 9:23 AM, Daniel Cid <daniel....@gmail.com> wrote: > Awesome! :) Can you run strace in there so we can get an idea on what > it is doing? It is probably > in a lock/loop somewhere.... > > thanks, > > On Thu, May 19, 2011 at 9:36 AM, Doug Burks <doug.bu...@gmail.com> wrote: >> My CentOS 5.6 server is now displaying this behavior again. ossec-analysisd >> is at 99% CPU usage and causing agents to disconnect. It's been a few weeks >> since performing the upgrade to CentOS 5.6 and I haven't seen the issue >> until today. Any ideas on how to troubleshoot ossec-analysisd? >> Thanks, >> Doug > -- Doug Burks, GSE, CISSP President, Greater Augusta ISSA http://augusta.issa.org http://securityonion.blogspot.com