Re: [ossec-list] ossec-analysisd Running In Debug Mode?

Fri, 08 Jul 2011 08:09:15 -0700 

I've never seen the processes run in debug mode without being run in debug mode.
I'd try an upgrade from a clean source directory. Or even trying the 2.6 beta.


On Thu, Jul 7, 2011 at 3:16 PM, William Voyek <[email protected]> wrote:
> On Thu, Jul 7, 2011 at 11:44 AM, dan (ddp) <[email protected]> wrote:
>> Other than the log message there isn't any indication the processes
>> are running in debug mode.
>> This is how they generally look in debug mode:
>> root      4356  4.4  0.4  7600  7720 ??  S     29Jun11  185:22.82
>> /var/ossec/bin/ossec-syscheckd -d
>> ossecm      36  0.0  0.2  4564  4940 ??  S     29Jun11    0:03.57
>> /var/ossec/bin/ossec-csyslogd -d
>> root     27304  0.0  0.0   536   892 ??  I     29Jun11    0:00.10
>> /var/ossec/bin/ossec-execd -d
>> ossec    22263  0.0  0.3  3400  5348 ??  S     29Jun11   14:07.31
>> /var/ossec/bin/ossec-analysisd -d
>> root     32060  0.0  0.1   884  1272 ??  S     29Jun11    0:52.38
>> /var/ossec/bin/ossec-logcollector -d (ossec-logcollect)
>> ossecr   30702  0.0  0.1  2916  1460 ??  S     29Jun11    0:18.68
>> /var/ossec/bin/ossec-remoted -d
>> ossec    28070  0.0  0.1   952  1032 ??  I     29Jun11    0:55.38
>> /var/ossec/bin/ossec-monitord -d
>>
>> Also, that system always runs the processes in debug mode, and the log
>> file isn't very big (since Feb).
>>
>> What kinds of messages are causing your logfile to grow to 10G?
>>
>
> It appears that for each logfile, system, eventlog, etc. monitored I'm
> getting these in the log:
>
> 2011/07/07 12:07:16 ossec-analysisd: DEBUG: Checking the rules - 9
> 2011/07/07 12:07:16 ossec-analysisd: DEBUG: Waiting for msgs - 1310065636
> 2011/07/07 12:07:16 ossec-analysisd: DEBUG: Received msg:
> 1:(myhost.mydomain) 10.0.0.101->WinEvtLog:WinEvtLog: Security:
> AUDIT_SUCCESS(538): Security: a_user: MYDOMAIN: MYHOST: User Logoff:
>        User Name: a_user       Domain:         MYDOMAIN        Logon ID:
>        (0x2,0xA12345B7)        Logon Type: 3
> 2011/07/07 12:07:16 ossec-analysisd: DEBUG: Msg cleanup: WinEvtLog:
> Security: AUDIT_SUCCESS(538): Security: a_user: MYDOMAIN: MYHOST: User
> Logoff:         User Name: a_user       Domain:         MYDOMAIN        Logon 
> ID:
>        (0x2,0xA12345B7)        Logon Type: 3
>
>
> There was 10,000+ messages logged to that file in the last five minutes.
>
> William
>

Reply via email to