I ran strace in count mode for 10 seconds on both servers: Server #1 strace -c -p 9773 Process 9773 attached - interrupt to quit Process 9773 detached % time seconds usecs/call calls errors syscall ------ ----------- ----------- --------- --------- ---------------- 99.68 0.028147 0 165935 read 0.17 0.000048 0 157 recvfrom 0.08 0.000022 0 126 _llseek 0.07 0.000019 0 157 time 0.00 0.000000 0 114 write ------ ----------- ----------- --------- --------- ---------------- 100.00 0.028236 166489 total
Server #2 strace -c -p 855 Process 855 attached - interrupt to quit Process 855 detached % time seconds usecs/call calls errors syscall ------ ----------- ----------- --------- --------- ---------------- 100.00 0.017206 0 292706 read 0.00 0.000000 0 3 lseek 0.00 0.000000 0 46 recvfrom 0.00 0.000000 0 46 time ------ ----------- ----------- --------- --------- ---------------- 100.00 0.017206 292801 total What else would you like to see? Thanks, -- Doug Burks, GSE, CISSP President, Greater Augusta ISSA http://augusta.issa.org http://securityonion.blogspot.com On Thu, May 19, 2011 at 10:06 AM, Doug Burks <[email protected]> wrote: > I've verified this issue on two CentOS 5.6 servers now: > 1. OSSEC Server installation with ~40 agents. Attaching strace to > the ossec-analysisd process shows that it's receiving syscheck info > (filenames and hashes) from some of the OSSEC agents. > 2. OSSEC local installation. Attaching strace to the ossec-analysisd > process shows that it's receiving syscheck info (filenames and hashes) > from some of the local files. (Of course, this doesn't cause the > agents to disconnect since it is a local installation and there are no > agents.) > > Thanks, > -- > Doug Burks, GSE, CISSP > President, Greater Augusta ISSA > http://augusta.issa.org > http://securityonion.blogspot.com > > > On Thu, May 19, 2011 at 9:23 AM, Daniel Cid <[email protected]> wrote: >> Awesome! :) Can you run strace in there so we can get an idea on what >> it is doing? It is probably >> in a lock/loop somewhere.... >> >> thanks, >> >> On Thu, May 19, 2011 at 9:36 AM, Doug Burks <[email protected]> wrote: >>> My CentOS 5.6 server is now displaying this behavior again. ossec-analysisd >>> is at 99% CPU usage and causing agents to disconnect. It's been a few weeks >>> since performing the upgrade to CentOS 5.6 and I haven't seen the issue >>> until today. Any ideas on how to troubleshoot ossec-analysisd? >>> Thanks, >>> Doug >> > > > > -- > Doug Burks, GSE, CISSP > President, Greater Augusta ISSA > http://augusta.issa.org > http://securityonion.blogspot.com >
