-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Terry Morreale wrote: > Thank you for the response. > > While it is not always over 60%, it is pretty much always over 40%. I > have been watching it for about a day, and it bounces around between 40% > and 75%. > > I am running the agent on Windows Server 2003. Also, I did change the > syscheck interval to every 12 hours instead of every two hours - but it > doesn't seem to have helped. >
How sure are you of the stability of the disk(s) in this system? Also, how are you measuring the processor time the process is getting? > Daniel Cid wrote: >> Hi Terry, >> >> Is the ossec cpu usage that high all the time? It should only go up >> like that when you start ossec (since it will scan the file system >> generating checksum of the files). Daniel (et al.), I'm actually seeing results that are all over the spectrum. I've got one box where the process usage is virtually nil, another that is averaging about 15%, and another that seems to be averaging about 60%. All three are WinXPSP2. Instead of trying to watch this in Task Manager, I've set up a performance counter for this process specifically. Right now, I'm just watching "% Processor Time", but it might be interesting to add other counters as well (IO Read/Writes, etc.) [....SNIP....] >> On 10/5/06, Terry Morreale <[EMAIL PROTECTED]> wrote: >>> Folks, >>> I have installed the Windows agent but am seeing CPU utilization by the >>> ossec process at about 60%. Has anyone found a way to keep utilization >>> lower, maybe around 10%? >>> [...SNIP...] Here's the interesting part, and part of why I ask about the stability of your disk(s), Terry. The system that is virtually nil, has 3x 80GB "known good" drives, with about 20K files (in addition to system and program files). The system that is averaging about 15% has 1x 30GB "known bad (but still functional)" drive, and really doesn't have much in the way of "stored data". And the system that is averaging 60% usage has 2x 40GB in RAID0, and 1x 120 GB "known good" drive, and has around 3.5M files (including OS and program files). I have had my suspicions (because of other indicators) that at least one of the 40GB drives is going bad. So, I'm guessing that this is related to the amount of disk IO that your system is doing, and how well it is able to do that IO. Incidentally, in the time it took to write this email, the one that was at 15% is now down around nil, and the other that was at 60% is now around 15%. So, I'm guessing that they were all running their scans when I first started watching. (I still have mine set for every 2 hours.) So, a lot of words for not really a resolution, but interesting nonetheless. - -- gentux echo "hfouvyyAhnbjm/dpn" | perl -pe 's/(.)/chr(ord($1)-1)/ge' gentux's gpg fingerprint ==> 5495 0388 67FF 0B89 1239 D840 4CF0 39E2 18D3 4A9E -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFJqlOTPA54hjTSp4RAlirAKDpEmqHrnbBh54pvTH0yMJhhAubgACfe1IQ x7uoz4gNRg6oeXT4o/lEu1w= =ydty -----END PGP SIGNATURE-----
