Re: [ossec-list] ossec-remoted high CPU utlization

2017-04-28 Thread dan (ddp) 
On Fri, Apr 28, 2017 at 3:07 PM, Nikki S  wrote:
> With tcpdump, I do see traffic getting to the server. Since the syscheck is
> only enabled every 22 hours, I was wondering what the other traffic is!
>
> How can I verify if log monitoring has been turned off?
>

Check the ossec.conf on the agents, and make sure there are no
 entries.

> Thank you!
>
>
>
> On Thursday, April 27, 2017 at 5:42:34 PM UTC-4, dan (ddpbsd) wrote:
>>
>> On Wed, Apr 26, 2017 at 9:51 PM, Nikki Sridhar 
>> wrote:
>> > There shouldn't be! Only system integrity configuration is enabled and
>> > that runs every 20 hours . Real time system integrity check is enabled for 
>> > 3
>> > directories.
>> >
>>
>> Turn on the log all option on the server and see what appears in
>> archives.log.
>> That will give you an idea of how much each system is sending to the
>> server.
>>
>> Even using tcpdump to see if there is a lot of traffic passing between
>> one agent and the server might give you some ideas. Like if an agent
>> has its log monitoring turned on, even though the server doesn't do
>> anything with the logs.
>>
>> > I was wondering if clearing out the syscheck DB would help?
>> >
>>
>> I don't think so, but you can try it.
>>
>> > Thank you!
>> >
>> >> On Apr 26, 2017, at 3:02 PM, dan (ddp)  wrote:
>> >>
>> >>> On Wed, Apr 26, 2017 at 9:59 AM, Nikki S  wrote:
>> >>> We have about 480 agents reporting the OSSEC server. The remoted
>> >>> server is
>> >>> running constantly at 100% CPU utilization. Any suggestions on how to
>> >>> re-mediate this please?
>> >>>
>> >>
>> >> Is there a lot of traffic between the agents and the server?
>> >>
>> >>> --
>> >>>
>> >>> ---
>> >>> You received this message because you are subscribed to the Google
>> >>> Groups
>> >>> "ossec-list" group.
>> >>> To unsubscribe from this group and stop receiving emails from it, send
>> >>> an
>> >>> email to ossec-list+...@googlegroups.com.
>> >>> For more options, visit https://groups.google.com/d/optout.
>> >>
>> >> --
>> >>
>> >> ---
>> >> You received this message because you are subscribed to a topic in the
>> >> Google Groups "ossec-list" group.
>> >> To unsubscribe from this topic, visit
>> >> https://groups.google.com/d/topic/ossec-list/6iUIQtsWLXY/unsubscribe.
>> >> To unsubscribe from this group and all its topics, send an email to
>> >> ossec-list+...@googlegroups.com.
>> >> For more options, visit https://groups.google.com/d/optout.
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an email to ossec-list+...@googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-remoted high CPU utlization

2017-04-28 Thread Nikki S 
With tcpdump, I do see traffic getting to the server. Since the syscheck is 
only enabled every 22 hours, I was wondering what the other traffic is!

How can I verify if log monitoring has been turned off? 

Thank you! 



On Thursday, April 27, 2017 at 5:42:34 PM UTC-4, dan (ddpbsd) wrote:
>
> On Wed, Apr 26, 2017 at 9:51 PM, Nikki Sridhar  > wrote: 
> > There shouldn't be! Only system integrity configuration is enabled and 
> that runs every 20 hours . Real time system integrity check is enabled for 
> 3 directories. 
> > 
>
> Turn on the log all option on the server and see what appears in 
> archives.log. 
> That will give you an idea of how much each system is sending to the 
> server. 
>
> Even using tcpdump to see if there is a lot of traffic passing between 
> one agent and the server might give you some ideas. Like if an agent 
> has its log monitoring turned on, even though the server doesn't do 
> anything with the logs. 
>
> > I was wondering if clearing out the syscheck DB would help? 
> > 
>
> I don't think so, but you can try it. 
>
> > Thank you! 
> > 
> >> On Apr 26, 2017, at 3:02 PM, dan (ddp)  
> wrote: 
> >> 
> >>> On Wed, Apr 26, 2017 at 9:59 AM, Nikki S  > wrote: 
> >>> We have about 480 agents reporting the OSSEC server. The remoted 
> server is 
> >>> running constantly at 100% CPU utilization. Any suggestions on how to 
> >>> re-mediate this please? 
> >>> 
> >> 
> >> Is there a lot of traffic between the agents and the server? 
> >> 
> >>> -- 
> >>> 
> >>> --- 
> >>> You received this message because you are subscribed to the Google 
> Groups 
> >>> "ossec-list" group. 
> >>> To unsubscribe from this group and stop receiving emails from it, send 
> an 
> >>> email to ossec-list+...@googlegroups.com . 
> >>> For more options, visit https://groups.google.com/d/optout. 
> >> 
> >> -- 
> >> 
> >> --- 
> >> You received this message because you are subscribed to a topic in the 
> Google Groups "ossec-list" group. 
> >> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/ossec-list/6iUIQtsWLXY/unsubscribe. 
> >> To unsubscribe from this group and all its topics, send an email to 
> ossec-list+...@googlegroups.com . 
> >> For more options, visit https://groups.google.com/d/optout. 
> > 
> > -- 
> > 
> > --- 
> > You received this message because you are subscribed to the Google 
> Groups "ossec-list" group. 
> > To unsubscribe from this group and stop receiving emails from it, send 
> an email to ossec-list+...@googlegroups.com . 
> > For more options, visit https://groups.google.com/d/optout. 
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-remoted high CPU utlization

2017-04-27 Thread dan (ddp) 
On Wed, Apr 26, 2017 at 9:51 PM, Nikki Sridhar  wrote:
> There shouldn't be! Only system integrity configuration is enabled and that 
> runs every 20 hours . Real time system integrity check is enabled for 3 
> directories.
>

Turn on the log all option on the server and see what appears in archives.log.
That will give you an idea of how much each system is sending to the server.

Even using tcpdump to see if there is a lot of traffic passing between
one agent and the server might give you some ideas. Like if an agent
has its log monitoring turned on, even though the server doesn't do
anything with the logs.

> I was wondering if clearing out the syscheck DB would help?
>

I don't think so, but you can try it.

> Thank you!
>
>> On Apr 26, 2017, at 3:02 PM, dan (ddp)  wrote:
>>
>>> On Wed, Apr 26, 2017 at 9:59 AM, Nikki S  wrote:
>>> We have about 480 agents reporting the OSSEC server. The remoted server is
>>> running constantly at 100% CPU utilization. Any suggestions on how to
>>> re-mediate this please?
>>>
>>
>> Is there a lot of traffic between the agents and the server?
>>
>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to ossec-list+unsubscr...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>
>> --
>>
>> ---
>> You received this message because you are subscribed to a topic in the 
>> Google Groups "ossec-list" group.
>> To unsubscribe from this topic, visit 
>> https://groups.google.com/d/topic/ossec-list/6iUIQtsWLXY/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to 
>> ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-remoted high CPU utlization

2017-04-27 Thread Phil Porada 
It may be worth investigating an upgrade to OSSEC 2.9.0. 

According to the changelog, there's 2 potentially useful fixes that may 
help you out https://github.com/ossec/ossec-hids/releases

   - Avoids computing hashes multiple times to improve performance
   - Syscheck improvements

Alternatively, try bumping up the amount of allocated CPUs. Maybe you've 
finally topped out the server node? Do you have historical graphs of CPU 
usage during scan times?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-remoted high CPU utlization

2017-04-27 Thread Nikki S 
OSSEC HIDS v2.8.3. 8 GB of RAM and 4 CPU cores VM. 

On Wednesday, April 26, 2017 at 10:23:02 PM UTC-4, Phil Porada wrote:
>
> What version of OSSEC are you running? What specs does the server node 
> have?
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-remoted high CPU utlization

2017-04-26 Thread Phil Porada 
What version of OSSEC are you running? What specs does the server node have?

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-remoted high CPU utlization

2017-04-26 Thread Nikki Sridhar 
There shouldn't be! Only system integrity configuration is enabled and that 
runs every 20 hours . Real time system integrity check is enabled for 3 
directories. 

I was wondering if clearing out the syscheck DB would help? 

Thank you!

> On Apr 26, 2017, at 3:02 PM, dan (ddp)  wrote:
> 
>> On Wed, Apr 26, 2017 at 9:59 AM, Nikki S  wrote:
>> We have about 480 agents reporting the OSSEC server. The remoted server is
>> running constantly at 100% CPU utilization. Any suggestions on how to
>> re-mediate this please?
>> 
> 
> Is there a lot of traffic between the agents and the server?
> 
>> --
>> 
>> ---
>> You received this message because you are subscribed to the Google Groups
>> "ossec-list" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to ossec-list+unsubscr...@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
> 
> -- 
> 
> --- 
> You received this message because you are subscribed to a topic in the Google 
> Groups "ossec-list" group.
> To unsubscribe from this topic, visit 
> https://groups.google.com/d/topic/ossec-list/6iUIQtsWLXY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to 
> ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] ossec-remoted high CPU utlization

2017-04-26 Thread dan (ddp) 
On Wed, Apr 26, 2017 at 9:59 AM, Nikki S  wrote:
> We have about 480 agents reporting the OSSEC server. The remoted server is
> running constantly at 100% CPU utilization. Any suggestions on how to
> re-mediate this please?
>

Is there a lot of traffic between the agents and the server?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] ossec-remoted high CPU utlization

2017-04-26 Thread Nikki S 
We have about 480 agents reporting the OSSEC server. The remoted server is 
running constantly at 100% CPU utilization. Any suggestions on how to 
re-mediate this please? 

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.