I've been curious about the performance of OSSEC in a server/agent architecture, so I have been emulating simultaneous events on a single agent by appending log entries to the agent's syslog.
Using a shell script for loop on the agent, I append 25 consecutive logs that match the format of a telnet failed password log. I figured 25 EPS should be easily captured by OSSEC. However, on the server, (after enabling logall to archives), it doesn't seem like it is processing all the logs. /var/ossec/logs/archives/archives.log shows: 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 14:15:55 queen telnetd[*1*]: refused connect from 81.215.42.24 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 14:15:55 queen telnetd[*13*]: refused connect from 81.215.42.158 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 14:15:55 queen telnetd[14]: refused connect from 81.215.42.69 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 14:15:55 queen telnetd[15]: refused connect from 81.215.42.32 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 14:15:55 queen telnetd[16]: refused connect from 81.215.42.41 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 14:15:55 queen telnetd[17]: refused connect from 81.215.42.74 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 14:15:55 queen telnetd[18]: refused connect from 81.215.42.32 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 14:15:55 queen telnetd[19]: refused connect from 81.215.42.222 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 14:15:55 queen telnetd[20]: refused connect from 81.215.42.25 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 14:15:55 queen telnetd[21]: refused connect from 81.215.42.141 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 14:15:55 queen telnetd[22]: refused connect from 81.215.42.248 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 14:15:55 queen telnetd[23]: refused connect from 81.215.42.45 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 14:15:55 queen telnetd[24]: refused connect from 81.215.42.166 2016 Oct 03 13:53:31 (agent101) 192.168.0.101->/var/log/syslog Oct 1 14:15:55 queen telnetd[25]: refused connect from 81.215.42.178 I put the for loop sequence identifier in the telnetd brackets [ ], and as you can see, this particular test didn't catch anything between the 2nd and 12th log. Does this have to do with UDP loss? Am I missing something, or possibly need to reconfigure OSSEC a certain way? Any help would be greatly appreciated! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
