I ran a couple of tests yesterday, where I generated about 2500 EPS in the log files being monitored.
Today, the OSSEC stats have been updated and looking at the hourly-average figures, I see that OSSEC is currently processing 2500 EPS. (The hourly-average reports a figure of 89,830,xxx for 4 consecutive hours). Resource usage is barely noticeable. CPU% for analysisd hit a high of 5% for a bit of time, but largely remained in the 1-2% range. I'm not sure if the log events I'm generating are stressing analysisd enough. I would like to add logs that make analysisd test against more rules. If anyone has sample logs that I could use to test, I would greatly appreciate if you can share them with me. I'm planning to do another test with around 4000 EPS being generated in the log files. On Tue, Sep 21, 2010 at 9:48 PM, Michael Starks < [email protected]> wrote: > On 09/21/2010 02:10 PM, Christopher Moraes wrote: > >> Hi Aamir, >> >> Thanks for your reply. I went through the link you sent. Currently I >> am only testing the performance of the log analysis components. (We >> intend to use only log-analysis and leave out the file integrity >> checking and rootkit detection.) >> > > The short answer is that ossec-analysisd is not the bottleneck. Disk I/O > and kernel parameters will slow things down first. Specifically, I recall > UDP buffers having an affect. Seems like a good topic for Week of OSSEC. I > know Daniel in particular has done extensive testing in this area. From what > I recall, I think you can reasonably expect around 1,000 eps on a well-tuned > system. > > -- > Michael Starks > [I] Immutable Security > http://www.immutablesecurity.com >
