[ossec-list] Server Sizing and Client Disconnects

[Ken Wachtler]

Hello OSSEC users, I really appreciate your input on this ...   My new OSSEC 2.1 installation with 10 clients, is seeing ...   1) High CPU usage from ossec-analysisd (may consume an entire CPU).   2) Agents reporting "Disconnected" en-mass, every couple of days.   And wondering ...   1) Is it normal for ossec-analysisd to peg an entire CPU ?   2) Does re-occurance of agent "Disconnected" indicate that my server is near capacity for clients ?   3) What is a typical server architecture/model for 10, 100 and 1000 clients ?   It seems that 10 clients is a very low number to be experiencing performance limitations, and wonder how many clients people are commonly supporting on a single OSSEC server.   Also surmizing that since ossec-analysisd and ossec-syscheckd (the heavy hitters) are single threaded, the new multicore/multithreaded CPU's will offer little benefit.     Server config ...   Sun V210   2 SPARC processors at 1002 Mhz.   8GB memory   Solaris 10   Client config ...   Solaris 8 and 10.   Previous generation SPARC   OSSEC version 2.1 . Nearly all default settings. Active alert disabled.     Normal server during a client syscheck scan (forwarding database phase) ...   # prstat ...    PID USERNAME  SIZE   RSS STATE  PRI NICE      TIME  CPU PROCESS/NLWP        25049 ossec    4496K 3224K sleep    0   19   0:18:24  29% ossec-analysisd/1  25060 ossecr   3720K 2288K sleep    2   19   0:00:21 0.2% ossec-remoted/3  25067 ossec    3048K 1568K sleep    2   19   0:00:00 0.0% ossec-monitord/1  25053 root     2864K 1592K sleep    2   19   0:00:00 0.0% ossec-logcollec/1  25038 ossecm   3056K 1656K sleep    2   19   0:00:00 0.0% ossec-csyslogd/1  25041 ossecm   4560K 2736K sleep    2   19   0:00:00 0.0% ossec-maild/1  25063 root     3064K 1560K sleep    2   19   0:00:00 0.0% ossec-syscheckd/1     Overloaded server during a client syscheck scan (possibly several simultainious scans) ...   # ./agent_control -l  OSSEC HIDS agent_control. List of available agents:    ID: 000, Name: ux442 (server), IP: 127.0.0.1, Active/Local    ID: 001, Name: uxlab5, IP: 10.32.2.125, Disconnected    ID: 002, Name: ux142, IP: 168.230.131.234, Active    ID: 003, Name: ux145, IP: 168.230.140.157, Disconnected    ID: 004, Name: ux123, IP: 168.230.129.94, Disconnected    ID: 007, Name: ux141, IP: 168.230.129.174, Disconnected    ID: 010, Name: ux144, IP: 168.230.129.179, Disconnected    ID: 011, Name: ux143, IP: 168.230.131.236, Active    ID: 012, Name: ux138, IP: 168.230.131.205, Disconnected    ID: 013, Name: ux139, IP: 168.230.131.82, Active    ID: 014, Name: ux140, IP: 168.230.129.205, Disconnected List of agentless devices: # prstat ...    PID USERNAME  SIZE   RSS STATE  PRI NICE      TIME  CPU PROCESS/NLWP        13885 ossec    4648K 3344K cpu0     0    0    2:39:24  49% ossec-analysisd/1  13897 ossecr   3736K 2368K sleep   59    0   0:08:42 0.0% ossec-remoted/3  ... Total: 74 processes, 168 lwps, load averages: 1.14, 1.04, 0.99     All comments and experiences welcome. Thank You, Ken Wachtler New OSSEC user, Minnesota USA