On Fri, Apr 28, 2017 at 3:07 PM, Nikki S <nikkisridha...@gmail.com> wrote: > With tcpdump, I do see traffic getting to the server. Since the syscheck is > only enabled every 22 hours, I was wondering what the other traffic is! > > How can I verify if log monitoring has been turned off? >
Check the ossec.conf on the agents, and make sure there are no <localfile> entries. > Thank you! > > > > On Thursday, April 27, 2017 at 5:42:34 PM UTC-4, dan (ddpbsd) wrote: >> >> On Wed, Apr 26, 2017 at 9:51 PM, Nikki Sridhar <nikkisr...@gmail.com> >> wrote: >> > There shouldn't be! Only system integrity configuration is enabled and >> > that runs every 20 hours . Real time system integrity check is enabled for >> > 3 >> > directories. >> > >> >> Turn on the log all option on the server and see what appears in >> archives.log. >> That will give you an idea of how much each system is sending to the >> server. >> >> Even using tcpdump to see if there is a lot of traffic passing between >> one agent and the server might give you some ideas. Like if an agent >> has its log monitoring turned on, even though the server doesn't do >> anything with the logs. >> >> > I was wondering if clearing out the syscheck DB would help? >> > >> >> I don't think so, but you can try it. >> >> > Thank you! >> > >> >> On Apr 26, 2017, at 3:02 PM, dan (ddp) <ddp...@gmail.com> wrote: >> >> >> >>> On Wed, Apr 26, 2017 at 9:59 AM, Nikki S <nikkisr...@gmail.com> wrote: >> >>> We have about 480 agents reporting the OSSEC server. The remoted >> >>> server is >> >>> running constantly at 100% CPU utilization. Any suggestions on how to >> >>> re-mediate this please? >> >>> >> >> >> >> Is there a lot of traffic between the agents and the server? >> >> >> >>> -- >> >>> >> >>> --- >> >>> You received this message because you are subscribed to the Google >> >>> Groups >> >>> "ossec-list" group. >> >>> To unsubscribe from this group and stop receiving emails from it, send >> >>> an >> >>> email to ossec-list+...@googlegroups.com. >> >>> For more options, visit https://groups.google.com/d/optout. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to a topic in the >> >> Google Groups "ossec-list" group. >> >> To unsubscribe from this topic, visit >> >> https://groups.google.com/d/topic/ossec-list/6iUIQtsWLXY/unsubscribe. >> >> To unsubscribe from this group and all its topics, send an email to >> >> ossec-list+...@googlegroups.com. >> >> For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
