Hi Joshua, Answers inline...
On Jan 7, 2008 6:12 PM, Joshua Gimer <[EMAIL PROTECTED]> wrote: > > I am trying to pitch using OSSEC to our Windows guys for integrity > checking primarily, and I have two questions: > > 1. How well is OSSEC able to handle high load windows systems with > large amounts of changing files? It should handle without any problems. We don't monitor the files in real time, but we scan the system every few hours (user configured) looking for changes. So, from an OSSEC standpoint, how often it changes is no problem. The issue maybe the large amount of alerts that you will get from those changes. *btw, Integrity checking is only useful if you can verify that the changes made are valid/invalid. > 2. Is there a way to force ossec-hids to not disable monitoring of > filesystem locations that are changing frequently? Yes, in the /var/ossec/etc/ossec.conf, just set "auto_ignore" to "no". http://www.ossec.net/main/manual/#syscheck_options > I did see this on the Wiki, but it does not answer the questions above > http://www.ossec.net/wiki/index.php/High_CPU_usage_on_Windows_agent > > Any information would be helpful. > > Thanks > Joshua Gimer > Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net
