Ok, here it is. Apache log file from 00.00 to 19.00. I calculated that way: Log events: cat apache_access.log | wc -l 2723860 Time. $19 * 60 * 60 68400 Events per seconds: $2723860 / 68400 39
Log file size: 752M Oct 21 19:02 access.log So average result is ~39 events per second. For now I got delay, that make system unusable: * Alert 1382370724.8571820: - web,appsec,attack 2013 Oct 21 18:52:04 mate->/var/log/access.log Rule: 31509 (level 3) -> 'WordPress login attempt.' Src IP: 146.0.74.208 www.ofroadt.com 146.0.74.208 - - [21/Oct/2013:14:44:14 +0300] "POST /wp-login.php HTTP/1.1" 20 0 3239 "http://ofroadt.com/wp-login.php"; "Mozilla/4.0" Thank you for helping! 2013/10/20 dan (ddp) <[email protected]> > On Sun, Oct 20, 2013 at 2:08 PM, rim bulls <[email protected]> wrote: > > last pid: 91525; load averages: 0.94, 1.04, 1.14 > > up 200+21:11:42 21:07:27 > > 425 processes: 3 running, 420 sleeping, 2 zombie > > CPU: 5.4% user, 0.0% nice, 3.5% system, 0.6% interrupt, 90.6% idle > > Mem: 2778M Active, 1172M Inact, 10G Wired, 151M Cache, 1646M Buf, 1277M > Free > > Swap: 4096M Total, 182M Used, 3914M Free, 4% Inuse > > > > PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU > COMMAND > > 73370 ossec 1 44 0 7876K 3668K sbwait 7 0:07 0.00% > > ossec-analysisd > > 73389 ossec 1 44 0 5832K 956K nanslp 4 0:00 0.00% > > ossec-monitord > > > > About logs - how much is "a lot"? How can I measure? > > > > It depends on the system. How many log messages per second (estimate)? > > > > > > > 2013/10/20 dan (ddp) <[email protected]> > >> > >> On Sun, Oct 20, 2013 at 1:13 PM, rim bulls <[email protected]> wrote: > >> > Max email limit? Don't know about email limits. > >> > The delay is between log record in apache logfile and > >> > alert record in "$ossec/logs/alerts/alerts.log". > >> > For example: record in log file is recorded at 12.00, alert is > generated > >> > in 12.30. > >> > This is local installation, no server-agent. > >> > > >> > One more thing - I use costum decoder for apache log file, like here: > >> > "http://marc.info/?l=ossec-list&m=120177942010907"; > >> > > >> > Thanks in advance! > >> > > >> > >> Is the system overloaded? How much CPU % is > >> ossec-analysisd/ossec-logcollectord using? Are you pushing a lot of > >> logs through it? > >> > >> > > >> > 2013/10/20 dan (ddp) <[email protected]> > >> > > >> >> > >> >> On Oct 19, 2013 5:13 PM, "rim bulls" <[email protected]> wrote: > >> >> > > >> >> > Hello! > >> >> > Excuse my English, it is not my native language. > >> >> > > >> >> > Can someone help me with following issue: > >> >> > Ossec verion: ossec-hids-local-2.7 > >> >> > OS: FreeBSD 8.3 > >> >> > Monitoring apache access log files. After running > >> >> > OSSEC some time, ~10-20min., there appears delay between entry in > log > >> >> > file and > >> >> > ossec generated alert. > >> >> > > >> >> > Example: > >> >> > ** Alert 1380315612.1843: - apache-custom, > >> >> > 2013 Sep 28 00:00:12 mas->/var/log/web_access.log > >> >> > Rule: 100288 (level 1) -> 'permit 404 "not found" ' > >> >> > Src IP: 83.136.136.54 > >> >> > www.besttech.lt 83.136.136.54 - - [27/Sep/2013:11:29:34 +0300] > "GET > >> >> > > >> >> > > >> >> > /ads/content/banner/20121025221552-3803.swf?clickTAG= > http://www.besttech.lt/ads/?fwd=1811 > >> >> > HTTP/1.1" 403 244 > >> >> > "http://www.siesuks.lv/receptes/majas-trte-a-varito-kremu-207841/"; > >> >> > "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; > >> >> > SLCC2; > >> >> > .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media > >> >> > Center > >> >> > PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3) > >> >> > > >> >> > Alert is generated iin 2013 Sep 28 00:00:12, log file entry > >> >> > 27/Sep/2013:11:29:34. > >> >> > > >> >> > >> >> Did you reach the max email limit that hour? > >> >> > >> >> > As longer OSSEC runs, the delay gets larger. > >> >> > > >> >> > I searched for answer using search engines, but did not get any > >> >> > answer. Can someone provide me some useful information, so I can > >> >> > resolve this case, please. > >> >> > > >> >> > Kind regards. > >> >> > > >> >> > -- > >> >> > > >> >> > --- > >> >> > You received this message because you are subscribed to the Google > >> >> > Groups "ossec-list" group. > >> >> > To unsubscribe from this group and stop receiving emails from it, > >> >> > send > >> >> > an email to [email protected]. > >> >> > For more options, visit https://groups.google.com/groups/opt_out. > >> >> > >> >> -- > >> >> > >> >> --- > >> >> You received this message because you are subscribed to the Google > >> >> Groups > >> >> "ossec-list" group. > >> >> To unsubscribe from this group and stop receiving emails from it, > send > >> >> an > >> >> email to [email protected]. > >> >> For more options, visit https://groups.google.com/groups/opt_out. > >> > > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/groups/opt_out. > >> > >> -- > >> > >> --- > >> You received this message because you are subscribed to the Google > Groups > >> "ossec-list" group. > >> To unsubscribe from this group and stop receiving emails from it, send > an > >> email to [email protected]. > >> For more options, visit https://groups.google.com/groups/opt_out. > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
