Re: [ossec-list] Ossec Windows Agent High Disk I/O Consumption

2017-05-26 Thread LGuerra 


Hey,

 

Thanks for your reply. I'm gonna give it a try. 

I'm gathering a list of events that actually don't need to make a more 
refined exclusion list.

I will keep you posted. 

 

Thanks!

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ossec Windows Agent High Disk I/O Consumption

2017-05-26 Thread LGuerra 


Hi,

 

I think I just found out. 

 

Since Im running OSSEC on Server 2012 and in order to correctly view Event 
Viewer logs, I switched "eventlog" to "eventchannel" on ossec.conf event 
viewer settings. Witch, according to the OSSEC documentation, uses the 
"new" Event API for log translation.

 

http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.localfile.html

 

Now, for troubleshooting I rolled back and it started working normally with 
normal disk consumption. 

 

I guess it’s this setting. However, I really needed it K otherwise I won’t 
be able to retrieve all the information from the event viewer logs.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ossec Windows Agent High Disk I/O Consumption

2017-05-26 Thread LGuerra 
Hi,

Thanks for your reply!

Yes. It's writing to ossec.log however just the normal log output. No debug 
at all. As far as I know, this should be the only writing operation.

Regards,

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Ossec Windows Agent High Disk I/O Consumption

2017-05-25 Thread dan (ddp) 
On Thu, May 25, 2017 at 11:37 AM, LGuerra  wrote:
> Hi,
>
>
>
> I've been noticing heavy disk I/O operations on some of my OSSEC agents. The
> average write is around 2 mb/s and 0 mb/s for read operations (which is
> weird).
>
>
>
> Is anyone experiencing the same thing? Wasn’t supposed to be (at least more)
> reading instead of writing operations? And why is there so high
> consumption!?
>
>
>
> I'm using OSSEC 2.8.3 on server 2012 R2.
>
>
>
> Syscheck frequency is set to 72000 and the settings I’m using (for log and
> event viewer monitoring) are set for both happening and not happening
> servers.
>
>
>
> Can someone help me?
>
>

Is it writing to ossec.log?

>
> Regards,
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.