hey thanks for all this tests, i really love OSSEC even more after that : )
About memory i think not sure, it could be tested in deepth by creating logs that force more the ossec correlation engine to work On 23 sep, 16:00, Christopher Moraes <[email protected]> wrote: > Hi everyone, > > Here are the detailed results of the performance tests that I ran. > > *Summary:* > - The tests covered only the log-analysis functionality of OSSEC > - A total of 4 test runs were done. Each with a different rate of EPS > generated in the log files. > - Each test was run for 2-3 hours and the results were averaged out. > - The test machine is a 2 Core, 4 GB RAM, RHEL Virtual Machine. > - OSSEC is installed in local mode and is monitoring 4 log files - syslog, > maillog, 2 apache logs. > > *Observations:* > - OSSEC scales vertically, using more CPU as the load (EPS) increases > - At 11,000 EPS, log-collector and analysisd used a combined average of 70% > of the CPU > - Memory utilization was between 1-2% irrespective of the EPS > - Size of the log files has no effect on the performance of OSSEC (8.5 GB > log file was used during the test) > * > * > * > * > *Detailed Test Results:* > * > * > ** Run Generated EPS Processed EPS % Alerts generated Analysisd CPU > Avg Logcollector > Avg CPU1 2700 2700 18.56% 11 3 2 3600 3800 18.56% 14 4 3 6000 6000 18.61% 26 > 10 4 11000 11000 18.72% 48 22 > * > * > % increase in EPS v/s % increase in resource utilization > * > * > ** Processed EPS Combined Avg %CPU (analysisd + logcollector) % increase in > EPS %increase in CPU utlization 2700 14 0.00% 0.00% <----- baseline for > comparison 3600 18 33.33% 28.57% 6000 36 66.67% 100.00% 11000 70 83.33% > 94.44% > **
