Hi Alisha, On Thu, Jan 6, 2011 at 11:56 AM, Alisha Kloc <[email protected]> wrote: > Hi list, > > We are trying to examine the impact of the OSSEC agent on our more > sensitive systems. However, we're quite confused about which OSSEC > process does what. > > Our agents are configured with syscheck and rootcheck both enabled and > syscheck set to scan on start. We watched the agent restart by tailing > ossec.log and using top to monitor CPU usage and process activity. > > We saw significant activity by ossec-syscheckd, jumping as high as 40% > CPU, in the minute or so after the agent started. This was expected > given the scan_on_start=yes. > > Five minutes later, the log showed the message "Starting syscheck > scan", but ossec-syscheckd didn't even make top's list of processes > using the CPU, while ossec-agentd went up to around 1% CPU usage and > stayed there. Then ossec-agentd dropped back to 0% usage immediately > after the "Ending syscheck scan" message in the logs. This was odd > since we were expecting to see ossec-syscheckd in use during the > syscheck. >
The syscheck process limits its own speed. It will scan 15 files, then sleep for 2 seconds. It does this in an attempt to prevent itself from hammering the machine for long periods of time. More info: http://www.ossec.net/wiki/Know_How:Syscheck_Perf > Next came the rootcheck, at which point ossec-syscheckd became active, > again shooting up to 35-40% CPU usage for the duration of rootcheck. > After the "Ending rootcheck scan" message, ossec-syscheckd gradually > dropped back down to 0% usage, leaving us thoroughly confused. > I believe the ossec-syscheckd process also does the rootcheck scans, and I don't think it attempts to limit its performance the way the syscheck scan does. > Could someone please explain which process does what? Why does ossec- > syscheckd show significant activity during rootcheck and > scan_on_start, but do nothing during a scheduled syscheck? Why does > ossec-agentd show activity during a syscheck? > > Thanks in advance! > -Alisha ossec-agentd probably showed some activity because it was communicating with the manager system. The information for the files scanned during the syscheck scan was being sent to the manager for analysis. dan
