One of my OSSEC servers has about 40 agents and sees about 3 million events/day. Now that the issue seems to have been resolved, it's CPU utilization is quite low just like yours and is what I'm expecting.
I actually had 5 different OSSEC servers running RHEL/CentOS 5.5 and only 2 of them experienced this particular issue, so I'm not saying it happens to everybody or that it's normal. But I know there were others in the thread who seemed to experience the same issue, so I was asking them to see if they were perhaps running 5.5 and if the upgrade to 5.6 resolved it for them like it seems to have resolved it for me. Thanks, -- Doug Burks, GSE, CISSP President, Greater Augusta ISSA http://augusta.issa.org http://securityonion.blogspot.com On Thu, Apr 21, 2011 at 11:33 AM, jjennings <[email protected]> wrote: > how many agents was the host monitoring? I'm monitoring about 20 agents > running OSSEC on a virtualized machine with Centos5.5 with only 1 cpu and 1 > GB ram and it's hardly breaking 1.0 in cpu utilization. > > ----- Original Message ----- > From: Doug Burks > To: [email protected] > Sent: Thursday, April 21, 2011 10:17 AM > Subject: Re: RE: [ossec-list] All UNIX/LINUX agents disconnecting and > failing to reconnect > I had two servers that were exhibiting this behavior (ossec-analysisd using > 99% CPU resulting in agents disconnecting). They were both running CentOS > 5.5 and I had verified that rebooting the server didn't help. As soon as > CentOS 5.6 became available, I upgraded and rebooted, and have not seen this > issue since. This could have been a bad interaction with the kernel or some > other part of the OS that has been fixed now. > For anybody else who has experienced this, were you running CentOS/RHEL 5.5? > Can you try updating to 5.6 and see if that helps? > Thanks, > Doug
