I have some logs at http://code.google.com/p/wip-ossec-rules
On Wed, Sep 22, 2010 at 9:42 AM, Christopher Moraes <[email protected]> wrote: > I ran a couple of tests yesterday, where I generated about 2500 EPS in the > log files being monitored. > Today, the OSSEC stats have been updated and looking at the hourly-average > figures, I see that OSSEC is currently processing 2500 EPS. (The > hourly-average reports a figure of 89,830,xxx for 4 consecutive hours). > Resource usage is barely noticeable. CPU% for analysisd hit a high of 5% > for a bit of time, but largely remained in the 1-2% range. > I'm not sure if the log events I'm generating are stressing analysisd > enough. I would like to add logs that make analysisd test against more > rules. If anyone has sample logs that I could use to test, I would greatly > appreciate if you can share them with me. > I'm planning to do another test with around 4000 EPS being generated in the > log files. > > > On Tue, Sep 21, 2010 at 9:48 PM, Michael Starks > <[email protected]> wrote: >> >> On 09/21/2010 02:10 PM, Christopher Moraes wrote: >>> >>> Hi Aamir, >>> >>> Thanks for your reply. I went through the link you sent. Currently I >>> am only testing the performance of the log analysis components. (We >>> intend to use only log-analysis and leave out the file integrity >>> checking and rootkit detection.) >> >> The short answer is that ossec-analysisd is not the bottleneck. Disk I/O >> and kernel parameters will slow things down first. Specifically, I recall >> UDP buffers having an affect. Seems like a good topic for Week of OSSEC. I >> know Daniel in particular has done extensive testing in this area. From what >> I recall, I think you can reasonably expect around 1,000 eps on a well-tuned >> system. >> >> -- >> Michael Starks >> [I] Immutable Security >> http://www.immutablesecurity.com > >
