Hi OSSec guys! I've read a little about people problems with "Event count after '20000'", but I think none found solution. My probem is ossec agent is filling network bandwidth to its limit. What kind of troubleshooting can I do? Regards, Y.
2012/11/30 11:33:20 ossec-agent(1410): INFO: Reading authentication keys file. 2012/11/30 11:33:20 ossec-agent: INFO: Assigning counter for agent plsrv13: '102:8550'. 2012/11/30 11:33:20 ossec-agent: INFO: Assigning sender counter: 3353:8058 2012/11/30 11:33:20 ossec-agent: INFO: Trying to connect to server (x.xx.xx.xxx:1514). 2012/11/30 11:33:20 ossec-agent: Starting syscheckd thread. 2012/11/30 11:33:20 ossec-rootcheck: INFO: Started (pid: 9720). 2012/11/30 11:33:20 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'. 2012/11/30 11:33:20 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'. 2012/11/30 11:33:20 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'. 2012/11/30 11:33:20 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'. 2012/11/30 11:33:20 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'. 2012/11/30 11:33:20 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'. 2012/11/30 11:33:20 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'. 2012/11/30 11:33:20 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/win.ini'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/system.ini'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\autoexec.bat'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\config.sys'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\boot.ini'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/CONFIG.NT'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/AUTOEXEC.NT'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/at.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/attrib.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/cacls.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/debug.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/drwatson.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/drwtsn32.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/edlin.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/eventcreate.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/eventtriggers.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/ftp.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/net.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/net1.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/netsh.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/rcp.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/reg.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/regedit.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/regedt32.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/regsvr32.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/rexec.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/rsh.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/runas.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/sc.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/subst.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/telnet.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/tftp.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/tlntsvr.exe'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\WINDOWS/System32/drivers/etc'. 2012/11/30 11:33:21 ossec-agent: INFO: Monitoring directory: 'C:\Documents and Settings/All Users/Start Menu/Programs/Startup'. 2012/11/30 11:33:21 ossec-agent: INFO: Started (pid: 9720). 2012/11/30 11:33:21 ossec-agent(4102): INFO: Connected to the server (x.xx.xx.xxx:1514). 2012/11/30 11:33:21 ossec-agent(1951): INFO: Analyzing event log: 'Application'. 2012/11/30 11:33:22 ossec-agent(1951): INFO: Analyzing event log: 'Security'. 2012/11/30 11:33:25 ossec-agent(1951): INFO: Analyzing event log: 'System'. 2012/11/30 11:33:25 ossec-agent(1952): INFO: Monitoring variable log file: 'C:\WINDOWS\System32\LogFiles\W3SVC1\ex121130.log'. 2012/11/30 11:33:25 ossec-agent(1950): INFO: Analyzing file: 'C:\WINDOWS\System32\LogFiles\W3SVC1\ex121130.log'. 2012/11/30 11:33:26 ossec-agent(1951): INFO: Analyzing event log: 'Application'. 2012/11/30 11:33:26 ossec-agent(1951): INFO: Analyzing event log: 'Security'. 2012/11/30 11:33:29 ossec-agent(1951): INFO: Analyzing event log: 'System'. 2012/11/30 11:33:30 ossec-agent: INFO: Started (pid: 9720). 2012/11/30 11:34:21 ossec-agent: INFO: Starting syscheck scan (forwarding database). 2012/11/30 11:34:21 ossec-agent: INFO: Starting syscheck database (pre-scan). 2012/11/30 11:34:24 ossec-agent: INFO: Event count after '20000': 9453838->5908072 (62%) 2012/11/30 11:34:25 ossec-agent: WARN: Error opening directory: 'C:\WINDOWS/System32/tftp.exe': No such file or directory 2012/11/30 11:34:25 ossec-agent: INFO: Finished creating syscheck database (pre-scan completed). 2012/11/30 11:34:35 ossec-agent: INFO: Ending syscheck scan (forwarding database). 2012/11/30 11:34:55 ossec-agent: INFO: Starting rootcheck scan. 2012/11/30 11:35:02 ossec-agent: INFO: Ending rootcheck scan. 2012/11/30 11:35:17 ossec-agent: INFO: Event count after '20000': 9460168->5912664 (62%) 2012/11/30 11:36:12 ossec-agent: INFO: Event count after '20000': 9467279->5917368 (62%) 2012/11/30 11:37:08 ossec-agent: INFO: Event count after '20000': 9464726->5916480 (62%) 2012/11/30 11:38:03 ossec-agent: INFO: Event count after '20000': 9465979->5914296 (62%) 2012/11/30 11:38:56 ossec-agent: INFO: Event count after '20000': 9466859->5915712 (62%) 2012/11/30 11:39:51 ossec-agent: INFO: Event count after '20000': 9473582->5919744 (62%) 2012/11/30 11:40:43 ossec-agent: INFO: Event count after '20000': 9463735->5914416 (62%) 2012/11/30 11:41:39 ossec-agent: INFO: Event count after '20000': 9468835->5916144 (62%) 2012/11/30 11:42:34 ossec-agent: INFO: Event count after '20000': 9462256->5912216 (62%) 2012/11/30 11:43:26 ossec-agent: INFO: Event count after '20000': 9465600->5914496 (62%) 2012/11/30 11:44:22 ossec-agent: INFO: Event count after '20000': 9472401->5919200 (62%) 2012/11/30 11:45:13 ossec-agent: INFO: Event count after '20000': 9472078->5919176 (62%) 2012/11/30 11:46:09 ossec-agent: INFO: Event count after '20000': 9460318->5913368 (62%) 2012/11/30 11:47:05 ossec-agent: INFO: Event count after '20000': 9467939->5915384 (62%) 2012/11/30 11:47:56 ossec-agent: INFO: Event count after '20000': 9462608->5913400 (62%) 2012/11/30 11:48:52 ossec-agent: INFO: Event count after '20000': 9466969->5915728 (62%) 2012/11/30 11:49:44 ossec-agent: INFO: Event count after '20000': 9465830->5917176 (62%) 2012/11/30 11:50:40 ossec-agent: INFO: Event count after '20000': 9452138->5910624 (62%) 2012/11/30 11:51:35 ossec-agent: INFO: Event count after '20000': 9464740->5914760 (62%) 2012/11/30 11:52:30 ossec-agent: INFO: Event count after '20000': 9464995->5915032 (62%) 2012/11/30 11:53:14 ossec-agent: INFO: Event count after '20000': 9420178->5911656 (62%) 2012/11/30 11:54:06 ossec-agent: INFO: Event count after '20000': 9430207->5903728 (62%) 2012/11/30 11:54:54 ossec-agent: INFO: Event count after '20000': 9432936->5904088 (62%) 2012/11/30 11:55:49 ossec-agent: INFO: Event count after '20000': 9467181->5917208 (62%) 2012/11/30 11:56:41 ossec-agent: INFO: Event count after '20000': 9465798->5914912 (62%) 2012/11/30 11:57:37 ossec-agent: INFO: Event count after '20000': 9469893->5916472 (62%) 2012/11/30 11:58:25 ossec-agent: INFO: Event count after '20000': 9436604->5908736 (62%) 2012/11/30 11:59:17 ossec-agent: INFO: Event count after '20000': 9466721->5914640 (62%) 2012/11/30 12:00:13 ossec-agent: INFO: Event count after '20000': 9476238->5921400 (62%) 2012/11/30 12:01:06 ossec-agent: INFO: Event count after '20000': 9439356->5903800 (62%) 2012/11/30 12:02:01 ossec-agent: INFO: Event count after '20000': 9478618->5920608 (62%) 2012/11/30 12:02:55 ossec-agent: INFO: Event count after '20000': 9472557->5917640 (62%) 2012/11/30 12:03:53 ossec-agent: INFO: Event count after '20000': 9474962->5917592 (62%) 2012/11/30 12:04:47 ossec-agent: INFO: Event count after '20000': 9468347->5915216 (62%) 2012/11/30 12:05:41 ossec-agent: INFO: Event count after '20000': 9482500->5921080 (62%) 2012/11/30 12:06:35 ossec-agent: INFO: Event count after '20000': 9466504->5913856 (62%) 2012/11/30 12:07:33 ossec-agent: INFO: Event count after '20000': 9471199->5917064 (62%) 2012/11/30 12:08:27 ossec-agent: INFO: Event count after '20000': 9469476->5916440 (62%) 2012/11/30 12:09:21 ossec-agent: INFO: Event count after '20000': 9472977->5915568 (62%) 2012/11/30 12:10:14 ossec-agent: INFO: Event count after '20000': 9475089->5917248 (62%) 2012/11/30 12:11:08 ossec-agent: INFO: Event count after '20000': 9467065->5913752 (62%) 2012/11/30 12:12:02 ossec-agent: INFO: Event count after '20000': 9476369->5918936 (62%) 2012/11/30 12:13:01 ossec-agent: INFO: Event count after '20000': 9469523->5915048 (62%)
