Hi everyone, Here are the detailed results of the performance tests that I ran.
*Summary:* - The tests covered only the log-analysis functionality of OSSEC - A total of 4 test runs were done. Each with a different rate of EPS generated in the log files. - Each test was run for 2-3 hours and the results were averaged out. - The test machine is a 2 Core, 4 GB RAM, RHEL Virtual Machine. - OSSEC is installed in local mode and is monitoring 4 log files - syslog, maillog, 2 apache logs. *Observations:* - OSSEC scales vertically, using more CPU as the load (EPS) increases - At 11,000 EPS, log-collector and analysisd used a combined average of 70% of the CPU - Memory utilization was between 1-2% irrespective of the EPS - Size of the log files has no effect on the performance of OSSEC (8.5 GB log file was used during the test) * * * * *Detailed Test Results:* * * ** Run Generated EPS Processed EPS % Alerts generated Analysisd CPU Avg Logcollector Avg CPU1 2700 2700 18.56% 11 3 2 3600 3800 18.56% 14 4 3 6000 6000 18.61% 26 10 4 11000 11000 18.72% 48 22 * * % increase in EPS v/s % increase in resource utilization * * ** Processed EPS Combined Avg %CPU (analysisd + logcollector) % increase in EPS %increase in CPU utlization 2700 14 0.00% 0.00% <----- baseline for comparison 3600 18 33.33% 28.57% 6000 36 66.67% 100.00% 11000 70 83.33% 94.44% **
