On Fri, 2008-05-16 at 14:42 -0300, Daniel Cid wrote: > Hi Sean, > > When OSSEC starts it sends all the integrity checking messages to the > server (basically all the > monitored file names and checksums), so it can use a lot of bandwidth. > So make sure it runs > the integrity checking slowly, take a look at: > > http://www.ossec.net/wiki/index.php/Know_How:Syscheck_Perf > > Specially changing the values of syscheck.sleep and sleep_after to > something like: > > syscheck.sleep=5 > syscheck.sleep_after=5 > > Should use much less CPU/bandwidth. > > *btw, which version of Windows are you using? It should not be using > 100% of CPU at all... > I'll try these on Monday.
We're using Windows Server 2003. The machine that took down our 768k line was 2003 R2. They all have Service Pack 2 installed. All of them pegged the CPU from the moment the service started to the moment it could be shut off. > > Thanks, > > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > > On Wed, May 14, 2008 at 5:43 PM, Sean Brown <[EMAIL PROTECTED]> wrote: > > > > We have just started to roll out OSSec here, so we're starting with > > OSSec 1.5 on everything. We run a mix of Linux, Solaris, OS X and > > Windows servers that we will monitor. So far in a little over a week, we > > only have a few problems with the Windows Agent. > > > > First, we have a domain controller at another site, connected to our > > main site by a 768k connection. When we launched the ossec agent on this > > system, it saturated that connection and brought it down. Is there a way > > to throttle or somehow prevent ossec from bringing down that connection? > > I wasn't expecting the agent to be sending that much data in the first > > place. > > > > Our second problem is the amount of processor time the Windows agent is > > using. On the Windows servers we are running, the moment the agent > > launches the processor gets pegged at 100%. This is especially a problem > > on our VMWare Server machines where several Windows servers are running. > > Is there a guide or something for tuning OSSec? > > > > -Thank you. > >
