Had a similar problem myself. If you have enabled auditing, OSSEC agent be generating windows events by reading the logs - thus self-perpetuating the log generation.
You should see in the windows log, the OSSEC agent accessing a registry key. This key can have auditing removed through regedit/permissions/adnvansed/aditing. (Although this does introduce another problem if you need to have that key audited....) Regards, Walter Wilson -----Original Message----- From: [email protected] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Starks Sent: 01 February 2008 04:15 To: [email protected] Cc: [EMAIL PROTECTED] Subject: [ossec-list] Re: 1.4 client cpu usage Herb Steck wrote: > I have some servers (both 32 & 64bit) Windows 2003 R2 servers that after > reboot the ossec service & lsass.exe start to take over the cpu running > at about 50% utilization. What can be causing this? Anyone have any ideas? OSSEC will read the new event log entries and do a syscheck when starting. Do you have a high amount of logging enabled, such as with object access? ________________________________________________________________________ This email has been scanned for all viruses by the MessageLabs Email Security System. ________________________________________________________________________ ************************************************************************************************************ This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing or copying of this email is strictly prohibited. If you have received this email in error please contact the sender. We only print the emails we really need to
