On Oct 24, 2013 5:36 AM, "rim bulls" <[email protected]> wrote: > > Hi! > In Internet I found info, that ossec is capable to handle ~600 EPS, so I wonder - why it stops functioning correctly with my ~39 events per sec. in server logs? > I disabled unwanted rules in ossec.conf, as described in " http://www.immutablesecurity.com/index.php/2009/10/30/week-of-ossec-day-6-developing-a-tuning-strategy/"; - no luck. > Then I take out one of most busies apache virtualhost logs from ossec - alerts are generated correctly. So those delays between event in my server log files and ossec generated alert in ossec logs is related to EPS. > Looks like logcollector can't read log fast enough. >
You only had the 1 log source though, right? When you calculated the 39 eps you only did that for 1 log file. Are there more logs you are monitoring? Why weren't they part of the calculation? > Do someone have any experience with handling large numbers of EPS? Is there some tuning has to be done? > Very sorry for my english :( > Have Sun! > > > 2013/10/22 rim bulls <[email protected]> >> >> Hello again! >> >> Average result is ~39 events per second. >> >> Is there any limits? I switched debuging mode on for ossec-analysisd/ossec- >> logcollectord (internal_options.conf), but only thing I can see is growing delay. >> >> Can someone provide any usable information to help solve the problem? >> >> Thank you! >> >> >> >> 2013/10/20 dan (ddp) <[email protected]> >>> >>> On Sun, Oct 20, 2013 at 2:08 PM, rim bulls <[email protected]> wrote: >>> > last pid: 91525; load averages: 0.94, 1.04, 1.14 >>> > up 200+21:11:42 21:07:27 >>> > 425 processes: 3 running, 420 sleeping, 2 zombie >>> > CPU: 5.4% user, 0.0% nice, 3.5% system, 0.6% interrupt, 90.6% idle >>> > Mem: 2778M Active, 1172M Inact, 10G Wired, 151M Cache, 1646M Buf, 1277M Free >>> > Swap: 4096M Total, 182M Used, 3914M Free, 4% Inuse >>> > >>> > PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND >>> > 73370 ossec 1 44 0 7876K 3668K sbwait 7 0:07 0.00% >>> > ossec-analysisd >>> > 73389 ossec 1 44 0 5832K 956K nanslp 4 0:00 0.00% >>> > ossec-monitord >>> > >>> > About logs - how much is "a lot"? How can I measure? >>> > >>> >>> It depends on the system. How many log messages per second (estimate)? >>> >>> > >>> > >>> > 2013/10/20 dan (ddp) <[email protected]> >>> >> >>> >> On Sun, Oct 20, 2013 at 1:13 PM, rim bulls <[email protected]> wrote: >>> >> > Max email limit? Don't know about email limits. >>> >> > The delay is between log record in apache logfile and >>> >> > alert record in "$ossec/logs/alerts/alerts.log". >>> >> > For example: record in log file is recorded at 12.00, alert is generated >>> >> > in 12.30. >>> >> > This is local installation, no server-agent. >>> >> > >>> >> > One more thing - I use costum decoder for apache log file, like here: >>> >> > "http://marc.info/?l=ossec-list&m=120177942010907"; >>> >> > >>> >> > Thanks in advance! >>> >> > >>> >> >>> >> Is the system overloaded? How much CPU % is >>> >> ossec-analysisd/ossec-logcollectord using? Are you pushing a lot of >>> >> logs through it? >>> >> >>> >> > >>> >> > 2013/10/20 dan (ddp) <[email protected]> >>> >> > >>> >> >> >>> >> >> On Oct 19, 2013 5:13 PM, "rim bulls" <[email protected]> wrote: >>> >> >> > >>> >> >> > Hello! >>> >> >> > Excuse my English, it is not my native language. >>> >> >> > >>> >> >> > Can someone help me with following issue: >>> >> >> > Ossec verion: ossec-hids-local-2.7 >>> >> >> > OS: FreeBSD 8.3 >>> >> >> > Monitoring apache access log files. After running >>> >> >> > OSSEC some time, ~10-20min., there appears delay between entry in log >>> >> >> > file and >>> >> >> > ossec generated alert. >>> >> >> > >>> >> >> > Example: >>> >> >> > ** Alert 1380315612.1843: - apache-custom, >>> >> >> > 2013 Sep 28 00:00:12 mas->/var/log/web_access.log >>> >> >> > Rule: 100288 (level 1) -> 'permit 404 "not found" ' >>> >> >> > Src IP: 83.136.136.54 >>> >> >> > www.besttech.lt 83.136.136.54 - - [27/Sep/2013:11:29:34 +0300] "GET >>> >> >> > >>> >> >> > >>> >> >> > /ads/content/banner/20121025221552-3803.swf?clickTAG= http://www.besttech.lt/ads/?fwd=1811 >>> >> >> > HTTP/1.1" 403 244 >>> >> >> > " http://www.siesuks.lv/receptes/majas-trte-a-varito-kremu-207841/"; >>> >> >> > "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; >>> >> >> > SLCC2; >>> >> >> > .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media >>> >> >> > Center >>> >> >> > PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3) >>> >> >> > >>> >> >> > Alert is generated iin 2013 Sep 28 00:00:12, log file entry >>> >> >> > 27/Sep/2013:11:29:34. >>> >> >> > >>> >> >> >>> >> >> Did you reach the max email limit that hour? >>> >> >> >>> >> >> > As longer OSSEC runs, the delay gets larger. >>> >> >> > >>> >> >> > I searched for answer using search engines, but did not get any >>> >> >> > answer. Can someone provide me some useful information, so I can >>> >> >> > resolve this case, please. >>> >> >> > >>> >> >> > Kind regards. >>> >> >> > >>> >> >> > -- >>> >> >> > >>> >> >> > --- >>> >> >> > You received this message because you are subscribed to the Google >>> >> >> > Groups "ossec-list" group. >>> >> >> > To unsubscribe from this group and stop receiving emails from it, >>> >> >> > send >>> >> >> > an email to [email protected]. >>> >> >> > For more options, visit https://groups.google.com/groups/opt_out . >>> >> >> >>> >> >> -- >>> >> >> >>> >> >> --- >>> >> >> You received this message because you are subscribed to the Google >>> >> >> Groups >>> >> >> "ossec-list" group. >>> >> >> To unsubscribe from this group and stop receiving emails from it, send >>> >> >> an >>> >> >> email to [email protected]. >>> >> >> For more options, visit https://groups.google.com/groups/opt_out. >>> >> > >>> >> > >>> >> > -- >>> >> > >>> >> > --- >>> >> > You received this message because you are subscribed to the Google >>> >> > Groups >>> >> > "ossec-list" group. >>> >> > To unsubscribe from this group and stop receiving emails from it, send >>> >> > an >>> >> > email to [email protected]. >>> >> > For more options, visit https://groups.google.com/groups/opt_out. >>> >> >>> >> -- >>> >> >>> >> --- >>> >> You received this message because you are subscribed to the Google Groups >>> >> "ossec-list" group. >>> >> To unsubscribe from this group and stop receiving emails from it, send an >>> >> email to [email protected]. >>> >> For more options, visit https://groups.google.com/groups/opt_out. >>> > >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/groups/opt_out. >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
