Hi list, We are trying to examine the impact of the OSSEC agent on our more sensitive systems. However, we're quite confused about which OSSEC process does what.
Our agents are configured with syscheck and rootcheck both enabled and syscheck set to scan on start. We watched the agent restart by tailing ossec.log and using top to monitor CPU usage and process activity. We saw significant activity by ossec-syscheckd, jumping as high as 40% CPU, in the minute or so after the agent started. This was expected given the scan_on_start=yes. Five minutes later, the log showed the message "Starting syscheck scan", but ossec-syscheckd didn't even make top's list of processes using the CPU, while ossec-agentd went up to around 1% CPU usage and stayed there. Then ossec-agentd dropped back to 0% usage immediately after the "Ending syscheck scan" message in the logs. This was odd since we were expecting to see ossec-syscheckd in use during the syscheck. Next came the rootcheck, at which point ossec-syscheckd became active, again shooting up to 35-40% CPU usage for the duration of rootcheck. After the "Ending rootcheck scan" message, ossec-syscheckd gradually dropped back down to 0% usage, leaving us thoroughly confused. Could someone please explain which process does what? Why does ossec- syscheckd show significant activity during rootcheck and scan_on_start, but do nothing during a scheduled syscheck? Why does ossec-agentd show activity during a syscheck? Thanks in advance! -Alisha
