I originally had _no_ custom ignore options in ossec.conf. Yesterday I added several custom directory ignore options in ossec.conf, restarted, then observed ossec cpu usage drop and noticed I had no disconnecting agents for the remainder of the day.
I'm not familiar with the ossec code base, I hope my observations accurately reflect code design. Tomorrow I'll revert my config and write a script to generate 1000s of file integrity events and see if I reproduce easily. On 9/18/10 1:58 PM, "Michael Starks" <[email protected]> wrote: > On 09/18/2010 01:49 AM, Tate Hansen wrote: >> Instead of configuring ossec.conf with additional "file/directories" to >> ignore, I had written rules (inside local_rules.xml) to simply reduce the >> "level" to 0 (i.e. I wanted to have a forensic trail, but not be alerted). >> >> As soon as I added the directories containing the majority of file changes >> to the ignore lines in ossec.conf -> restarted -> ossec-analysisd CPU >> consumption plummeted and I have yet to see a single agent disconnect >> message. > > Thanks for the report. I'm confused. Did you ignore them in ossec.conf > or set the alert level to 0? > > Also, setting the alert to 0 will cause the alerts to not be written to > alerts.log. You'll only have the checksums in the database and it's > pretty easy to clear the database. That would kill your forensics records..
