We have just started to roll out OSSec here, so we're starting with OSSec 1.5 on everything. We run a mix of Linux, Solaris, OS X and Windows servers that we will monitor. So far in a little over a week, we only have a few problems with the Windows Agent.
First, we have a domain controller at another site, connected to our main site by a 768k connection. When we launched the ossec agent on this system, it saturated that connection and brought it down. Is there a way to throttle or somehow prevent ossec from bringing down that connection? I wasn't expecting the agent to be sending that much data in the first place. Our second problem is the amount of processor time the Windows agent is using. On the Windows servers we are running, the moment the agent launches the processor gets pegged at 100%. This is especially a problem on our VMWare Server machines where several Windows servers are running. Is there a guide or something for tuning OSSec? -Thank you.
