On Sun, Oct 20, 2013 at 2:08 PM, rim bulls <[email protected]> wrote: > last pid: 91525; load averages: 0.94, 1.04, 1.14 > up 200+21:11:42 21:07:27 > 425 processes: 3 running, 420 sleeping, 2 zombie > CPU: 5.4% user, 0.0% nice, 3.5% system, 0.6% interrupt, 90.6% idle > Mem: 2778M Active, 1172M Inact, 10G Wired, 151M Cache, 1646M Buf, 1277M Free > Swap: 4096M Total, 182M Used, 3914M Free, 4% Inuse > > PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND > 73370 ossec 1 44 0 7876K 3668K sbwait 7 0:07 0.00% > ossec-analysisd > 73389 ossec 1 44 0 5832K 956K nanslp 4 0:00 0.00% > ossec-monitord > > About logs - how much is "a lot"? How can I measure? >
It depends on the system. How many log messages per second (estimate)? > > > 2013/10/20 dan (ddp) <[email protected]> >> >> On Sun, Oct 20, 2013 at 1:13 PM, rim bulls <[email protected]> wrote: >> > Max email limit? Don't know about email limits. >> > The delay is between log record in apache logfile and >> > alert record in "$ossec/logs/alerts/alerts.log". >> > For example: record in log file is recorded at 12.00, alert is generated >> > in 12.30. >> > This is local installation, no server-agent. >> > >> > One more thing - I use costum decoder for apache log file, like here: >> > "http://marc.info/?l=ossec-list&m=120177942010907"; >> > >> > Thanks in advance! >> > >> >> Is the system overloaded? How much CPU % is >> ossec-analysisd/ossec-logcollectord using? Are you pushing a lot of >> logs through it? >> >> > >> > 2013/10/20 dan (ddp) <[email protected]> >> > >> >> >> >> On Oct 19, 2013 5:13 PM, "rim bulls" <[email protected]> wrote: >> >> > >> >> > Hello! >> >> > Excuse my English, it is not my native language. >> >> > >> >> > Can someone help me with following issue: >> >> > Ossec verion: ossec-hids-local-2.7 >> >> > OS: FreeBSD 8.3 >> >> > Monitoring apache access log files. After running >> >> > OSSEC some time, ~10-20min., there appears delay between entry in log >> >> > file and >> >> > ossec generated alert. >> >> > >> >> > Example: >> >> > ** Alert 1380315612.1843: - apache-custom, >> >> > 2013 Sep 28 00:00:12 mas->/var/log/web_access.log >> >> > Rule: 100288 (level 1) -> 'permit 404 "not found" ' >> >> > Src IP: 83.136.136.54 >> >> > www.besttech.lt 83.136.136.54 - - [27/Sep/2013:11:29:34 +0300] "GET >> >> > >> >> > >> >> > /ads/content/banner/20121025221552-3803.swf?clickTAG=http://www.besttech.lt/ads/?fwd=1811 >> >> > HTTP/1.1" 403 244 >> >> > "http://www.siesuks.lv/receptes/majas-trte-a-varito-kremu-207841/"; >> >> > "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; >> >> > SLCC2; >> >> > .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media >> >> > Center >> >> > PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3) >> >> > >> >> > Alert is generated iin 2013 Sep 28 00:00:12, log file entry >> >> > 27/Sep/2013:11:29:34. >> >> > >> >> >> >> Did you reach the max email limit that hour? >> >> >> >> > As longer OSSEC runs, the delay gets larger. >> >> > >> >> > I searched for answer using search engines, but did not get any >> >> > answer. Can someone provide me some useful information, so I can >> >> > resolve this case, please. >> >> > >> >> > Kind regards. >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> >> an >> >> email to [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
