Hi Sean, When OSSEC starts it sends all the integrity checking messages to the server (basically all the monitored file names and checksums), so it can use a lot of bandwidth. So make sure it runs the integrity checking slowly, take a look at:
http://www.ossec.net/wiki/index.php/Know_How:Syscheck_Perf Specially changing the values of syscheck.sleep and sleep_after to something like: syscheck.sleep=5 syscheck.sleep_after=5 Should use much less CPU/bandwidth. *btw, which version of Windows are you using? It should not be using 100% of CPU at all... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Wed, May 14, 2008 at 5:43 PM, Sean Brown <[EMAIL PROTECTED]> wrote: > > We have just started to roll out OSSec here, so we're starting with > OSSec 1.5 on everything. We run a mix of Linux, Solaris, OS X and > Windows servers that we will monitor. So far in a little over a week, we > only have a few problems with the Windows Agent. > > First, we have a domain controller at another site, connected to our > main site by a 768k connection. When we launched the ossec agent on this > system, it saturated that connection and brought it down. Is there a way > to throttle or somehow prevent ossec from bringing down that connection? > I wasn't expecting the agent to be sending that much data in the first > place. > > Our second problem is the amount of processor time the Windows agent is > using. On the Windows servers we are running, the moment the agent > launches the processor gets pegged at 100%. This is especially a problem > on our VMWare Server machines where several Windows servers are running. > Is there a guide or something for tuning OSSec? > > -Thank you. >
