The 20000 came from etc/internal_options.conf # Remoted compression averages printout. remoted.comp_average_printout=19999
When event count > 19999, it will log the message, and reset the event count to 0. The % means the compression ratio. This log message is harmless. What you should look for is why the agents sent so many events and fine tune your configuration. You can start by checking what kind of events were repeated so many times. On Tuesday, December 11, 2012 10:06:12 AM UTC-8, YatZeck wrote: > > Hi did anyone solve this issue in managed environment? > Y. > > W dniu poniedziałek, 3 grudnia 2012 09:30:53 UTC+1 użytkownik YatZeck > napisał: >> >> Hi OSSec guys! >> I've read a little about people problems with "Event count after >> '20000'", but I think none found solution. My probem is ossec agent is >> filling network bandwidth to its limit. >> What kind of troubleshooting can I do? >> Regards, Y. >> >
