Is ossec-syscheckd running? Is it eating up a lot of CPU?
It was running and not eating up much CPU, problem has ended up being
/proc and /sys partitions. Have set an ignore rule for these and now all
is well. I think i might set-up a script to scan and then ignore any
devices that are on the box as well. Strace helped work out where the
problem lied.
This is good to know. I think it's time to update the FAQ/Wiki with this
details.
I'm liking the idea which I have no idea if its possible yet (no
documentation that i can see on it online at least?) of using ossec to
search through MySQL that's had all the log's sent to it centrally.
Currently now i've learned it as possible i'm looking at the ideas of
just running ossec on central syslog server, I don't see it of much use
at all for File integrity its just so un-configurable, which is a shame
because the logging part is great.
I don't know what logging solution you are using, but all major syslog
daemons that do mysql inserts also allow you to duplicate the message to
files and the database. This way you could setup ossec (or even just a
agent) to read the files and generate alerts. Then have log rotation run
often so that file system space does not get wasted on dup data for to
long.
--
Jeremy Rossi
e: Look at the headers
t: http://twitter.com/jrossi
