Yes, I saw that the log file showed a 3-minute gap between syscheckd starting and finishing pre-scan. However, ossec-syscheckd is not the process that is taking up 100% CPU. ossec-analysisd takes 100% CPU for 3 minutes. ossec-logtest does the same thing, and I wouldn't expect it to do anything with syscheckd.
I've looked at 2 other OSSEC installs and neither of them exhibit this behavior. When starting OSSEC, they do show the standard 3-minute syscheckd gap in the log file, but there is NO process taking 100% CPU for any amount of time. Also, starting ossec-logtest on these other OSSEC installs is instantaneous with no excessive CPU usage. What would cause ossec-analysisd and ossec-logtest to hit 100% CPU usage for 3 minutes? Any ideas, Daniel Cid? Thanks, Doug Burks On Mar 4, 4:02 pm, Joshua Gimer <jgi...@gmail.com> wrote: > On Thu, Mar 4, 2010 at 12:11 PM, Doug Burks <mub...@gmail.com> wrote: > > As I mentioned in my previous message, ossec-logtest takes about 3 > > minutes before it will accept input. During this time, it is stuck at > > 100% CPU usage. ossec-analysisd does the same thing when starting > > OSSEC. After the 3 minutes is up, ossec-analysisd settles down to > > about 30% CPU usage. > > > .... > > 2010/03/04 13:59:55 ossec-syscheckd: INFO: Starting syscheck database > > (pre-scan). > > 2010/03/04 14:02:41 ossec-syscheckd: INFO: Finished creating syscheck > > database (pre-scan completed). > > > Is this normal? > > > Thanks, > > Doug Burks > > The majority of the time is being spent starting the syscheck database. > Google seems to have a few results of OSSEC start logs that show around a 3 > minute start as well. > > -- > Thx > Joshua Gimer
