Daniel: Yes, version 1.2 was downloaded and checksummed. This morning I let it run during a 2 hour meeting. Still 100% CPU on my return and nothing in the log files (with Debug set to "2") that stands out.
>From the start this morning, the log shows: 2007/05/24 08:55:21 ossec-agent: DEBUG: Reading agent configuration. 2007/05/24 08:55:21 ossec-agent: DEBUG: Reading logcollector configuration. 2007/05/24 08:55:21 ossec-agent: DEBUG: Reading private keys. 2007/05/24 08:55:21 ossec-agent: No previous counter available for 'den-ev-00'. 2007/05/24 08:55:21 ossec-agent: Assigning counter for agent den-ev-00: '0:0'. 2007/05/24 08:55:21 ossec-agent: Assigning sender counter: 0:36 2007/05/24 08:55:21 ossec-agent: Connecting to server (172.16.17.205:1514). 2007/05/24 08:55:21 ossec-agent: DEBUG: Creating thread mutex. 2007/05/24 08:55:21 ossec-agent: Starting syscheckd thread. 2007/05/24 08:55:21 ossec-agent: Starting ... 2007/05/24 08:55:21 ossec-rootcheck: Started (pid: 4280). 2007/05/24 08:55:21 ossec-agent: Starting queue ... 2007/05/24 08:55:21 ossec-agent: Connecting to server (172.16.17.205:1514). 2007/05/24 08:55:21 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes'. 2007/05/24 08:55:21 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft'. 2007/05/24 08:55:21 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies'. 2007/05/24 08:55:21 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control'. 2007/05/24 08:55:21 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'. 2007/05/24 08:55:21 ossec-agent: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security'. 2007/05/24 08:55:21 ossec-agent: Monitoring directory: 'D:\WINDOWS'. 2007/05/24 08:55:21 ossec-agent: Started (pid: 4280). 2007/05/24 08:55:36 ossec-agent(4101): Waiting for server reply (not started). 2007/05/24 08:55:38 ossec-agent(4102): Connected to the server. 2007/05/24 08:55:38 ossec-agent: DEBUG: Sending keep alive message. 2007/05/24 08:55:38 ossec-agent: DEBUG: Sending keep alive: #!-Microsoft Windows XP Professional x64 Edition Service Pack 2 (Build 3790) d41d8cd98f00b204e9800998ecf8427e ar.conf 83bd653bf7f3ff1d5702dda24bdb8c61 rootkit_files.txt d6e390753464a48796c62967ef037e9b rootkit_trojans.txt 2007/05/24 08:55:38 ossec-agent: DEBUG: Entering LogCollectorStart(). 2007/05/24 08:55:38 ossec-agent(1951): Analyzing event log: 'Application'. 2007/05/24 08:55:40 ossec-agent(1951): Analyzing event log: 'Security'. 2007/05/24 09:51:13 ossec-agent: Received exit signal. 2007/05/24 09:51:13 ossec-agent: Exiting... I will try letting it run overnight tonight and see if my PC is still standing in the morning. -- Ed Vazquez One man's constant is another man's variable. - Perlis 24 May 2007 09:59:45 > -----Original Message----- > From: Daniel Cid [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 24, 2007 00:55 > To: [email protected] > Cc: Vazquez, Ed > Subject: Re: [ossec-list] Behavior of MS Windows "Agent" > > Hi Ed, > > That's very strange... Even when the agent starts and scans the > system it should > not use that much CPU. Does this problem goes away after 20/30 > minutes? > Are you using version 1.2? There are some ways to reduce the > CPU usage on the > agent, but in your case it looks like a different issue... > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On 5/23/07, Vazquez, Ed <[EMAIL PROTECTED]> wrote: > > Here's an odd one for you. > > > > Three different systems. > > > > One running Win2K3 Server on a quad Xeon, one running WinXP > Pro x64 on > > a dual Athlon, one running Win2K3 Server x64 on a Core2 Duo. > > > > On all three, the OSSEC agent chewed up _minimum_ of 45% of > the CPU > > cycles along with using /accessing lsass and services, > accounting for > > the remaining 55%. This lead to 100% CPU utilization on all > > platforms. > > > > Ouch. > > > > Is there some trick to the client that I'm missing? > > Incompatibilities? Further debug data I can provide? > > > > Thanks, > > > > -- > > Ed Vazquez > > > > New: It comes in different colors from the previous version. > > 23 May 2007 13:54:40 > > > >
smime.p7s
Description: S/MIME cryptographic signature
