Just in case anyone runs into this on OpenBSD I had an issue with agents disconnecting and it was related to system limits. I exceeded the system default for open files and needed to adjust with umlimit -n "integer".
On Thu, May 19, 2011 at 1:12 PM, Doug Burks <[email protected]> wrote > I ran strace in count mode for 10 seconds on both servers: > > Server #1 > strace -c -p 9773 > Process 9773 attached - interrupt to quit > Process 9773 detached > % time seconds usecs/call calls errors syscall > ------ ----------- ----------- --------- --------- ---------------- > 99.68 0.028147 0 165935 read > 0.17 0.000048 0 157 recvfrom > 0.08 0.000022 0 126 _llseek > 0.07 0.000019 0 157 time > 0.00 0.000000 0 114 write > ------ ----------- ----------- --------- --------- ---------------- > 100.00 0.028236 166489 total > > Server #2 > strace -c -p 855 > Process 855 attached - interrupt to quit > Process 855 detached > % time seconds usecs/call calls errors syscall > ------ ----------- ----------- --------- --------- ---------------- > 100.00 0.017206 0 292706 read > 0.00 0.000000 0 3 lseek > 0.00 0.000000 0 46 recvfrom > 0.00 0.000000 0 46 time > ------ ----------- ----------- --------- --------- ---------------- > 100.00 0.017206 292801 total > > What else would you like to see? > > Thanks, > -- > Doug Burks, GSE, CISSP > President, Greater Augusta ISSA > http://augusta.issa.org > http://securityonion.blogspot.com > > On Thu, May 19, 2011 at 10:06 AM, Doug Burks <[email protected]> wrote: > > I've verified this issue on two CentOS 5.6 servers now: > > 1. OSSEC Server installation with ~40 agents. Attaching strace to > > the ossec-analysisd process shows that it's receiving syscheck info > > (filenames and hashes) from some of the OSSEC agents. > > 2. OSSEC local installation. Attaching strace to the ossec-analysisd > > process shows that it's receiving syscheck info (filenames and hashes) > > from some of the local files. (Of course, this doesn't cause the > > agents to disconnect since it is a local installation and there are no > > agents.) > > > > Thanks, > > -- > > Doug Burks, GSE, CISSP > > President, Greater Augusta ISSA > > http://augusta.issa.org > > http://securityonion.blogspot.com > > > > > > On Thu, May 19, 2011 at 9:23 AM, Daniel Cid <[email protected]> > wrote: > >> Awesome! :) Can you run strace in there so we can get an idea on what > >> it is doing? It is probably > >> in a lock/loop somewhere.... > >> > >> thanks, > >> > >> On Thu, May 19, 2011 at 9:36 AM, Doug Burks <[email protected]> > wrote: > >>> My CentOS 5.6 server is now displaying this behavior again. > ossec-analysisd > >>> is at 99% CPU usage and causing agents to disconnect. It's been a few > weeks > >>> since performing the upgrade to CentOS 5.6 and I haven't seen the issue > >>> until today. Any ideas on how to troubleshoot ossec-analysisd? > >>> Thanks, > >>> Doug > >> > > > > > > > > -- > > Doug Burks, GSE, CISSP > > President, Greater Augusta ISSA > > http://augusta.issa.org > > http://securityonion.blogspot.com > > >
