Take a look at your /var/ossec/logs/alert/alerts.log file. See how fast it is growing. See if there is one particular kind of alert happening most frequently. You may adjust the minimal level to trigger alerts in ossec.conf file.
On Wednesday, January 30, 2013 5:44:53 AM UTC-8, YatZeck wrote: > > Hi! > Of course it is indeed the only reasonable way to solve this issue, but > please let me know, where to start from. > Thanx. > Y. > > W dniu czwartek, 20 grudnia 2012 22:58:52 UTC+1 użytkownik Jb Cheng > napisał: > >> The 20000 came from etc/internal_options.conf >> # Remoted compression averages printout. >> remoted.comp_average_printout=19999 >> >> When event count > 19999, it will log the message, and reset the event >> count to 0. The % means the compression ratio. >> This log message is harmless. >> What you should look for is why the agents sent so many events and fine >> tune your configuration. >> You can start by checking what kind of events were repeated so many >> times. >> >> On Tuesday, December 11, 2012 10:06:12 AM UTC-8, YatZeck wrote: >>> >>> Hi did anyone solve this issue in managed environment? >>> Y. >>> >>> W dniu poniedziałek, 3 grudnia 2012 09:30:53 UTC+1 użytkownik YatZeck >>> napisał: >>>> >>>> Hi OSSec guys! >>>> I've read a little about people problems with "Event count after >>>> '20000'", but I think none found solution. My probem is ossec agent is >>>> filling network bandwidth to its limit. >>>> What kind of troubleshooting can I do? >>>> Regards, Y. >>>> >>> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
