> > >> > The problem is that if I use frequency to every 6-7 hrs it causes a > > >> > UDP storm from 30+ machines for syscheck data on top of the usual > > >> > alert sending. I've maxed out the buffer size on my linux kernel, > > >> > ossec server agent count is very high, and the server can handle it, > > >> > just that there's so much that the ossec server doesnt read the buffer > > >> > fast enough for the data coming through so I get intermittent results/ > > >> > data for the roughly 30 min window while all these machines send their > > >> > syscheck results. >
Does the tcp protocol option in the remote section of the server config affect syscheck logging from client to server? If so, would that solve your problem?
