Ok, setting the following: syscheck.sleep=20 syscheck.sleep_after=15
There is a brief spike of CPU usage, then it seems to behave properly for a bit, but within 5 minutes (it's random, sometimes it's much sooner) the CPU is pegged at 100% until the service is stopped. Setting Debug to 2 does not log any errors. I really have no idea what to do as OSSec does not react this way on our Linux or Solaris machines. It is however seeming like we can not run the Windows agent, which quite frankly sucks. On Tue, 2008-05-20 at 14:24 -0300, Daniel Cid wrote: > Hi Sean, > > Actually, no, the internal_options file is unique from each agent... > However, it sounds like a good > feature request for next version. > > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Fri, May 16, 2008 at 4:48 PM, Sean Brown <[EMAIL PROTECTED]> wrote: > > > > On Fri, 2008-05-16 at 14:42 -0300, Daniel Cid wrote: > >> Hi Sean, > >> > >> When OSSEC starts it sends all the integrity checking messages to the > >> server (basically all the > >> monitored file names and checksums), so it can use a lot of bandwidth. > >> So make sure it runs > >> the integrity checking slowly, take a look at: > >> > >> http://www.ossec.net/wiki/index.php/Know_How:Syscheck_Perf > >> > >> Specially changing the values of syscheck.sleep and sleep_after to > >> something like: > >> > >> syscheck.sleep=5 > >> syscheck.sleep_after=5 > >> > >> Should use much less CPU/bandwidth. > > > > Am I correct in assuming that editing the internal_options.conf on the > > server, all the agents will recieve the updated settings? > >
