I know you are focusing on the receiving side, but 30k EPS is really high even for 2k servers.
If the agents are on Windows servers, check your audit policies (local/global) to make sure you don't have object access and process tracking on (this is for debugging and not really useful to OSSEC imho) Grant On Tuesday, December 16, 2014 8:00:13 AM UTC-5, Chris Decker wrote: > > Good morning all, > > I have about 2,000 (heavily active) OSSEC agents sending logs to a > Manager. On the Manager side I've noticed that *ossec-remoted* is > hovering around 98% to 100% of a CPU. > > I was under the impression that *ossec-remoted* is multi-threaded, but I > only ever see one process running (and no childs). Am I doing something > incorrectly? I was speaking with some folks on IRC and they said that not > only is the process multi-threaded, but that a modern server could easily > handle 70,000 EPS. Right now I have a machine with 16 Intel Xeon cores > running at 3.3 GHz, and I estimate I'm seeing about 30,000 EPS. > > Any performance/tuning tips are appreciated!!! > > > > > Thanks, > Chris > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
