As I mentioned in my previous message, ossec-logtest takes about 3 minutes before it will accept input. During this time, it is stuck at 100% CPU usage. ossec-analysisd does the same thing when starting OSSEC. After the 3 minutes is up, ossec-analysisd settles down to about 30% CPU usage.
For example, I did "service ossec restart" and here's the relevant info from /var/ossec/logs/ossec.log: 2010/03/04 13:59:18 ossec-monitord(1225): INFO: SIGNAL Received. Exit Cleaning... 2010/03/04 13:59:18 ossec-logcollector(1225): INFO: SIGNAL Received. Exit Cleaning... 2010/03/04 13:59:18 ossec-remoted(1225): INFO: SIGNAL Received. Exit Cleaning... 2010/03/04 13:59:18 ossec-remoted(1225): INFO: SIGNAL Received. Exit Cleaning... 2010/03/04 13:59:18 ossec-syscheckd(1225): INFO: SIGNAL Received. Exit Cleaning... 2010/03/04 13:59:18 ossec-analysisd(1225): INFO: SIGNAL Received. Exit Cleaning... 2010/03/04 13:59:18 ossec-maild(1225): INFO: SIGNAL Received. Exit Cleaning... 2010/03/04 13:59:18 ossec-execd(1314): INFO: Shutdown received. Deleting responses. 2010/03/04 13:59:18 ossec-execd(1225): INFO: SIGNAL Received. Exit Cleaning... 2010/03/04 13:59:18 ossec-maild: INFO: Started (pid: 28454). 2010/03/04 13:59:18 ossec-execd: INFO: Started (pid: 28458). 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading local decoder file. 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'rules_config.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'pam_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'sshd_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'telnetd_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'syslog_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'arpwatch_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'symantec-av_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'symantec-ws_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'pix_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'named_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'smbd_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'vsftpd_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'pure- ftpd_rules.xml' 2010/03/04 13:59:18 ossec-remoted: INFO: Started (pid: 28470). 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'proftpd_rules.xml' 2010/03/04 13:59:18 ossec-remoted: Remote syslog allowed from: '10.4.5.104' 2010/03/04 13:59:18 ossec-remoted: INFO: Started (pid: 28471). 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'ms_ftpd_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'ftpd_rules.xml' 2010/03/04 13:59:18 ossec-remoted: INFO: Started (pid: 28472). 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'hordeimp_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'roundcube_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'wordpress_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'vpopmail_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'vmpop3d_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'courier_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'web_rules.xml' 2010/03/04 13:59:18 ossec-rootcheck: System audit file not configured. 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'apache_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'nginx_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'php_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'mysql_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'postgresql_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'ids_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'squid_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'firewall_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'cisco- ios_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'netscreenfw_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'sonicwall_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'postfix_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'sendmail_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'imapd_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'mailscanner_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'dovecot_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'ms- exchange_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'racoon_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'vpn_concentrator_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'spamd_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'msauth_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'mcafee_av_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'trend- osce_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'zeus_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'solaris_bsm_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'vmware_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'ms_dhcp_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'asterisk_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'ossec_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'attack_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Reading rules file: 'local_rules.xml' 2010/03/04 13:59:18 ossec-analysisd: INFO: Total rules enabled: '1002' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: '/etc/mtab' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: '/etc/ mnttab' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: '/etc/ hosts.deny' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: '/etc/mail/ statistics' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: '/etc/random- seed' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: '/etc/ adjtime' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: '/etc/httpd/ logs' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: '/etc/utmpx' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: '/etc/wtmpx' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: '/etc/cups/ certs' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: '/etc/ dumpdates' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: '/etc/svc/ volatile' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ System32/LogFiles' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ Debug' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ WindowsUpdate.log' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ iis6.log' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ system32/wbem/Logs' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ system32/wbem/Repository' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ Prefetch' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ PCHEALTH/HELPCTR/DataColl' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ SoftwareDistribution' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ Temp' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ system32/config' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ system32/spool' 2010/03/04 13:59:18 ossec-analysisd: INFO: Ignoring file: 'C:\WINDOWS/ system32/CatRoot' ...SNIP... 2010/03/04 13:59:23 ossec-syscheckd: INFO: Started (pid: 28478). 2010/03/04 13:59:23 ossec-rootcheck: INFO: Started (pid: 28478). 2010/03/04 13:59:23 ossec-syscheckd: INFO: Monitoring directory: '/ etc'. 2010/03/04 13:59:23 ossec-syscheckd: INFO: Monitoring directory: '/usr/ bin'. 2010/03/04 13:59:23 ossec-syscheckd: INFO: Monitoring directory: '/usr/ sbin'. 2010/03/04 13:59:23 ossec-syscheckd: INFO: Monitoring directory: '/ bin'. 2010/03/04 13:59:23 ossec-syscheckd: INFO: Monitoring directory: '/ sbin'. 2010/03/04 13:59:24 ossec-logcollector(1950): INFO: Analyzing file: '/ var/log/messages'. 2010/03/04 13:59:24 ossec-logcollector(1950): INFO: Analyzing file: '/ var/log/secure'. 2010/03/04 13:59:24 ossec-logcollector(1950): INFO: Analyzing file: '/ var/log/maillog'. 2010/03/04 13:59:24 ossec-logcollector: INFO: Started (pid: 28466). 2010/03/04 13:59:55 ossec-syscheckd: INFO: Starting syscheck database (pre-scan). 2010/03/04 14:02:41 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed). 2010/03/04 14:03:34 ossec-analysisd: INFO: Connected to '/queue/alerts/ ar' (active-response queue) 2010/03/04 14:03:34 ossec-analysisd: INFO: Connected to '/queue/alerts/ execq' (exec queue) 2010/03/04 14:04:41 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database). Is this normal? Thanks, Doug Burks
