Hi, I just wanted to share with the community that I have tested OSSEC (2.4.1 & 2.5.1) reading a large log file (> 1 TB) and have confirmed that there is no performance degradation due to the large log file size.
Even though it is clear that, by design ossec should not show any performance degradation (ossec reads log messages as they are added to a log file), this is something that my team wanted to confirm. Test Environment: 2 core, 4GB RAM - Virtual Machine running RHEL 5.4 with a 1.5 TB iscsi lun attached to it. The test consisted of 1. Establishing a performance benchmark by first testing the performance on a 1 GB log file. An input load of 8000 EPS was generated and OSSEC successfully processed the incoming logs at 8000 EPS. The average CPU utlitization was 50%. 2. Running a similar test on a 500GB and 1TB log files. An input load of 8000 EPS was generated on these files and ossec processed the logs at 8000 EPS. There was no degradation in performance. The average CPU utlitization was 50%. Note: The log file sizes mentioned are the sizes of the logs, before ossec was started. Log messages were added to a 1GB, 500GB and 1TB log file at the quoted EPS rate. This test does not measure how fast ossec could process a 500GB or 1TB log file. Regards, Chris
