Every time you restart ossec, it runs a local syscheck scan (if installed in local mode). I'm guessing that high CPU usage is due to I/O while reading the syscheck DB.
>From the source code, it looks like analysisd scans the syscheckDB file for every file it has to match. For a 240 MB file, that can possibly cause high I/O. Can you reduce the size of the syscheck DB? (syscheck-control -u <id>) On Fri, Apr 20, 2012 at 9:12 AM, Valentin Avram <[email protected]> wrote: > > /var/ossec/queue/syscheck/syscheck has 240 MB > /var/ossec/queue/syscheck/(<agent-server-name>) > <agent-server-ip>->syscheck files take up 189 MB > > >>
