Hi, Two of these systems run Snort, the third runs some packet capturing software.
2011/05/11 10:07:19 ossec-syscheckd: INFO: Started (pid: 11418). 2011/05/11 10:07:19 ossec-rootcheck: INFO: Started (pid: 11418). 2011/05/11 10:07:19 ossec-syscheckd: INFO: Monitoring directory: '/bin'. 2011/05/11 10:07:19 ossec-syscheckd: INFO: Monitoring directory: '/boot'. 2011/05/11 10:07:19 ossec-syscheckd: INFO: Monitoring directory: '/dev'. 2011/05/11 10:07:19 ossec-syscheckd: INFO: Monitoring directory: '/etc'. 2011/05/11 10:07:19 ossec-syscheckd: INFO: Monitoring directory: '/lib'. 2011/05/11 10:07:19 ossec-syscheckd: INFO: Monitoring directory: '/lib64'. 2011/05/11 10:07:19 ossec-syscheckd: INFO: Monitoring directory: '/sbin'. 2011/05/11 10:07:19 ossec-syscheckd: INFO: Monitoring directory: '/usr/bin'. 2011/05/11 10:07:19 ossec-syscheckd: INFO: Monitoring directory: '/usr/lib'. 2011/05/11 10:07:19 ossec-syscheckd: INFO: Monitoring directory: '/usr/lib64'. 2011/05/11 10:07:19 ossec-syscheckd: INFO: Monitoring directory: '/usr/sbin/'. 2011/05/11 10:07:19 ossec-syscheckd: INFO: Monitoring directory: '/usr/share'. 2011/05/11 10:07:19 ossec-syscheckd: INFO: Monitoring directory: '/usr/local'. 2011/05/11 10:07:19 ossec-syscheckd: INFO: Monitoring directory: '/var/ossec/bin'. 2011/05/11 10:07:19 ossec-syscheckd: INFO: Monitoring directory: '/var/ossec/etc'. 2011/05/11 10:07:19 ossec-syscheckd: INFO: Monitoring directory: '/var/ossec/active-response'. 2011/05/11 10:07:19 ossec-syscheckd: INFO: Monitoring directory: '/etc/snort'. Rootcheck is setup as per the default ossec.conf that is installed with 2.5.1. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Wednesday, May 11, 2011 11:40 AM To: [email protected] Subject: Re: [ossec-list] syscheckd high cpu usage Please provide some information about how you have these systems configured (especially syscheck settings), and what they do. On Wed, May 11, 2011 at 1:05 PM, Jefferson, Shawn <[email protected]> wrote: > > Hi, > > I have OSSEC installed on Ubuntu 10.04.2 LTS 64-bit, and the syscheckd > process is taking a lot of CPU time, and has for the past couple of days. I > haven't seen this behaviour on other installations, but on three of these > systems that are configured similiarly. Any suggestions on where to look? > Rootkitcheck? > > You can see this one has been running syscheck for days. > > 2011/05/05 20:05:21 ossec-syscheckd: INFO: Starting syscheck scan (forwarding > database). > 2011/05/05 20:05:21 ossec-syscheckd: INFO: Starting syscheck database > (pre-scan). > 2011/05/06 22:21:01 ossec-agentd: INFO: Event count after '20000': > 4664877->3811296 (81%) > 2011/05/08 06:35:39 ossec-agentd: INFO: Event count after '20000': > 4195430->3534200 (84%) > 2011/05/09 15:46:25 ossec-agentd: INFO: Event count after '20000': > 4407799->3661232 (83%) > 2011/05/11 01:30:02 ossec-agentd: INFO: Event count after '20000': > 4909642->3973976 (80%) > > > > Shawn > >
