Hi! In Internet I found info, that ossec is capable to handle ~600 EPS, so I wonder - why it stops functioning correctly with my ~39 events per sec. in server logs? I disabled unwanted rules in ossec.conf, as described in " http://www.immutablesecurity.com/index.php/2009/10/30/week-of-ossec-day-6-developing-a-tuning-strategy/"; - no luck. Then I take out one of most busies apache virtualhost logs from ossec - alerts are generated correctly. So those delays between event in my server log files and ossec generated alert in ossec logs is related to EPS. Looks like logcollector can't read log fast enough.
Do someone have any experience with handling large numbers of EPS? Is there some tuning has to be done? Very sorry for my english :( Have Sun! 2013/10/22 rim bulls <[email protected]> > Hello again! > > Average result is ~39 events per second. > > Is there any limits? I switched debuging mode on for ossec-analysisd/ossec- > logcollectord (internal_options.conf), but only thing I can see is growing > delay. > > Can someone provide any usable information to help solve the problem? > > Thank you! > > > > 2013/10/20 dan (ddp) <[email protected]> > >> On Sun, Oct 20, 2013 at 2:08 PM, rim bulls <[email protected]> wrote: >> > last pid: 91525; load averages: 0.94, 1.04, 1.14 >> > up 200+21:11:42 21:07:27 >> > 425 processes: 3 running, 420 sleeping, 2 zombie >> > CPU: 5.4% user, 0.0% nice, 3.5% system, 0.6% interrupt, 90.6% idle >> > Mem: 2778M Active, 1172M Inact, 10G Wired, 151M Cache, 1646M Buf, 1277M >> Free >> > Swap: 4096M Total, 182M Used, 3914M Free, 4% Inuse >> > >> > PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU >> COMMAND >> > 73370 ossec 1 44 0 7876K 3668K sbwait 7 0:07 0.00% >> > ossec-analysisd >> > 73389 ossec 1 44 0 5832K 956K nanslp 4 0:00 0.00% >> > ossec-monitord >> > >> > About logs - how much is "a lot"? How can I measure? >> > >> >> It depends on the system. How many log messages per second (estimate)? >> >> > >> > >> > 2013/10/20 dan (ddp) <[email protected]> >> >> >> >> On Sun, Oct 20, 2013 at 1:13 PM, rim bulls <[email protected]> >> wrote: >> >> > Max email limit? Don't know about email limits. >> >> > The delay is between log record in apache logfile and >> >> > alert record in "$ossec/logs/alerts/alerts.log". >> >> > For example: record in log file is recorded at 12.00, alert is >> generated >> >> > in 12.30. >> >> > This is local installation, no server-agent. >> >> > >> >> > One more thing - I use costum decoder for apache log file, like here: >> >> > "http://marc.info/?l=ossec-list&m=120177942010907"; >> >> > >> >> > Thanks in advance! >> >> > >> >> >> >> Is the system overloaded? How much CPU % is >> >> ossec-analysisd/ossec-logcollectord using? Are you pushing a lot of >> >> logs through it? >> >> >> >> > >> >> > 2013/10/20 dan (ddp) <[email protected]> >> >> > >> >> >> >> >> >> On Oct 19, 2013 5:13 PM, "rim bulls" <[email protected]> wrote: >> >> >> > >> >> >> > Hello! >> >> >> > Excuse my English, it is not my native language. >> >> >> > >> >> >> > Can someone help me with following issue: >> >> >> > Ossec verion: ossec-hids-local-2.7 >> >> >> > OS: FreeBSD 8.3 >> >> >> > Monitoring apache access log files. After running >> >> >> > OSSEC some time, ~10-20min., there appears delay between entry in >> log >> >> >> > file and >> >> >> > ossec generated alert. >> >> >> > >> >> >> > Example: >> >> >> > ** Alert 1380315612.1843: - apache-custom, >> >> >> > 2013 Sep 28 00:00:12 mas->/var/log/web_access.log >> >> >> > Rule: 100288 (level 1) -> 'permit 404 "not found" ' >> >> >> > Src IP: 83.136.136.54 >> >> >> > www.besttech.lt 83.136.136.54 - - [27/Sep/2013:11:29:34 +0300] >> "GET >> >> >> > >> >> >> > >> >> >> > /ads/content/banner/20121025221552-3803.swf?clickTAG= >> http://www.besttech.lt/ads/?fwd=1811 >> >> >> > HTTP/1.1" 403 244 >> >> >> > "http://www.siesuks.lv/receptes/majas-trte-a-varito-kremu-207841/ >> " >> >> >> > "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; >> >> >> > SLCC2; >> >> >> > .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media >> >> >> > Center >> >> >> > PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3) >> >> >> > >> >> >> > Alert is generated iin 2013 Sep 28 00:00:12, log file entry >> >> >> > 27/Sep/2013:11:29:34. >> >> >> > >> >> >> >> >> >> Did you reach the max email limit that hour? >> >> >> >> >> >> > As longer OSSEC runs, the delay gets larger. >> >> >> > >> >> >> > I searched for answer using search engines, but did not get any >> >> >> > answer. Can someone provide me some useful information, so I can >> >> >> > resolve this case, please. >> >> >> > >> >> >> > Kind regards. >> >> >> > >> >> >> > -- >> >> >> > >> >> >> > --- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups "ossec-list" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> >> >> -- >> >> >> >> >> >> --- >> >> >> You received this message because you are subscribed to the Google >> >> >> Groups >> >> >> "ossec-list" group. >> >> >> To unsubscribe from this group and stop receiving emails from it, >> send >> >> >> an >> >> >> email to [email protected]. >> >> >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> >> >> -- >> >> >> >> --- >> >> You received this message because you are subscribed to the Google >> Groups >> >> "ossec-list" group. >> >> To unsubscribe from this group and stop receiving emails from it, send >> an >> >> email to [email protected]. >> >> For more options, visit https://groups.google.com/groups/opt_out. >> > >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/groups/opt_out. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
