Do <logall>true</logall> inside your global ossec.conf directive on the ossec server. This will log everything to /var/ossec/logs/archives/archives.log. I would do that for 5 minutes then disable it and look though that archive to see what is showing up.
On Tue, Dec 19, 2017 at 8:35 AM, Sylvain Crouet <scro...@neocasesoftware.com > wrote: > Hello, > > > > How can I identify the agent on which I should do that? I already stopped > the most verbose agents, and there is no change on CPU. > > > > Cordialement / Regards > > > > *Sylvain Crouet* > > Security Officer - *Security is everybody’s responsibility* > > Mobile +33 (0) 7 75 24 10 28 > > > > *From:* ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] *On > Behalf Of *Brett Simpson > *Sent:* jeudi 14 décembre 2017 18:38 > *To:* ossec-list <ossec-list@googlegroups.com> > *Subject:* [ossec-list] Re: ossec-remoted high CPU > > > > I would suggest you turn on debug on one of the agents and see what the > agent is trying to send versus what the server actually keeps. I had issues > with a few event IDs generating thousands of events per second that weren't > even used by the ossec server so I used a line like this on the agent to > drop them without sending. > > > > <localfile> > > <location>Application</location> > > <log_format>eventchannel</log_format> > > <query>Event/System[EventID != 256] and Event/System[EventID != > 258]</query> > > </localfile> > > > > <localfile> > > <location>Security</location> > > <log_format>eventchannel</log_format> > > <query>Event/System[EventID != 4656] and Event/System[EventID != 4658] > and Event/System[EventID != 4670] and Event/System[EventID != 4672] and > Event/System[EventID != 4688] and Event/System[EventID != 4689] and > Event/System[EventID != 4690] and Event/System[EventID != 5152] and > Event/System[EventID != 5156] and Event/System[EventID != 5158] and > Event/System[EventID != 5447]</query> > > </localfile> > > > > <localfile> > > <location>System</location> > > <log_format>eventchannel</log_format> > > <query>Event/System[EventID!=7000]</query> > > </localfile> > > > > > On Tuesday, December 12, 2017 at 10:04:55 AM UTC-5, Sylvain Crouet wrote: > > Hello, > > > > One of my OSSEC server is always busy (100% CPU) for some days, with > ossec-remoted between 90% and 100% CPU. This server manages about 65 agents > only. What can explain this high CPU utilization and how can I solve it? I > already restarted OSSEC services and the whole server. > > > > Cordialement / Kind regards > > > > *Sylvain Crouet* > > Security Officer - *Security is everybody’s responsibility* > > Mobile +33 (0) 7 75 24 10 28 > > > > [image: Image removed by sender. > Logo-Neocase-RGB-TM-TAGLINE-mail-signature] > > > > *Neocase™ Software is a leading provider of integrated HR and Finance > service delivery solutions.* > > www.neocasesoftware.com > > > > [image: Image removed by sender. workday_azure_partners_300dpi_1cm5] > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/ossec-list/ZzcTfmQTaXE/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
