In other logs, like /var/log/messages, are just couple events per hour. They did not change anything. When I take out one of most busies apache virtualhost logs from ossec - alerts are generated correctly. And this vhost logs to log file I used in calculation. One more thing, there are peak hours, when EPS values are higher. I'll get statistics from peaks.
2013/10/24 dan (ddp) <[email protected]> > > On Oct 24, 2013 5:36 AM, "rim bulls" <[email protected]> wrote: > > > > Hi! > > In Internet I found info, that ossec is capable to handle ~600 EPS, so I > wonder - why it stops functioning correctly with my ~39 events per sec. in > server logs? > > I disabled unwanted rules in ossec.conf, as described in " > http://www.immutablesecurity.com/index.php/2009/10/30/week-of-ossec-day-6-developing-a-tuning-strategy/"; > - no luck. > > Then I take out one of most busies apache virtualhost logs from ossec - > alerts are generated correctly. So those delays between event in my server > log files and ossec generated alert in ossec logs is related to EPS. > > Looks like logcollector can't read log fast enough. > > > > You only had the 1 log source though, right? When you calculated the 39 > eps you only did that for 1 log file. Are there more logs you are > monitoring? Why weren't they part of the calculation? > > > Do someone have any experience with handling large numbers of EPS? Is > there some tuning has to be done? > > Very sorry for my english :( > > Have Sun! > > > > > > 2013/10/22 rim bulls <[email protected]> > >> > >> Hello again! > >> > >> Average result is ~39 events per second. > >> > >> Is there any limits? I switched debuging mode on for > ossec-analysisd/ossec- > >> logcollectord (internal_options.conf), but only thing I can see is > growing delay. > >> > >> Can someone provide any usable information to help solve the problem? > >> > >> Thank you! > >> > >> > >> > >> 2013/10/20 dan (ddp) <[email protected]> > >>> > >>> On Sun, Oct 20, 2013 at 2:08 PM, rim bulls <[email protected]> > wrote: > >>> > last pid: 91525; load averages: 0.94, 1.04, 1.14 > >>> > up 200+21:11:42 21:07:27 > >>> > 425 processes: 3 running, 420 sleeping, 2 zombie > >>> > CPU: 5.4% user, 0.0% nice, 3.5% system, 0.6% interrupt, 90.6% > idle > >>> > Mem: 2778M Active, 1172M Inact, 10G Wired, 151M Cache, 1646M Buf, > 1277M Free > >>> > Swap: 4096M Total, 182M Used, 3914M Free, 4% Inuse > >>> > > >>> > PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU > COMMAND > >>> > 73370 ossec 1 44 0 7876K 3668K sbwait 7 0:07 0.00% > >>> > ossec-analysisd > >>> > 73389 ossec 1 44 0 5832K 956K nanslp 4 0:00 0.00% > >>> > ossec-monitord > >>> > > >>> > About logs - how much is "a lot"? How can I measure? > >>> > > >>> > >>> It depends on the system. How many log messages per second (estimate)? > >>> > >>> > > >>> > > >>> > 2013/10/20 dan (ddp) <[email protected]> > >>> >> > >>> >> On Sun, Oct 20, 2013 at 1:13 PM, rim bulls <[email protected]> > wrote: > >>> >> > Max email limit? Don't know about email limits. > >>> >> > The delay is between log record in apache logfile and > >>> >> > alert record in "$ossec/logs/alerts/alerts.log". > >>> >> > For example: record in log file is recorded at 12.00, alert is > generated > >>> >> > in 12.30. > >>> >> > This is local installation, no server-agent. > >>> >> > > >>> >> > One more thing - I use costum decoder for apache log file, like > here: > >>> >> > "http://marc.info/?l=ossec-list&m=120177942010907"; > >>> >> > > >>> >> > Thanks in advance! > >>> >> > > >>> >> > >>> >> Is the system overloaded? How much CPU % is > >>> >> ossec-analysisd/ossec-logcollectord using? Are you pushing a lot of > >>> >> logs through it? > >>> >> > >>> >> > > >>> >> > 2013/10/20 dan (ddp) <[email protected]> > >>> >> > > >>> >> >> > >>> >> >> On Oct 19, 2013 5:13 PM, "rim bulls" <[email protected]> > wrote: > >>> >> >> > > >>> >> >> > Hello! > >>> >> >> > Excuse my English, it is not my native language. > >>> >> >> > > >>> >> >> > Can someone help me with following issue: > >>> >> >> > Ossec verion: ossec-hids-local-2.7 > >>> >> >> > OS: FreeBSD 8.3 > >>> >> >> > Monitoring apache access log files. After running > >>> >> >> > OSSEC some time, ~10-20min., there appears delay between entry > in log > >>> >> >> > file and > >>> >> >> > ossec generated alert. > >>> >> >> > > >>> >> >> > Example: > >>> >> >> > ** Alert 1380315612.1843: - apache-custom, > >>> >> >> > 2013 Sep 28 00:00:12 mas->/var/log/web_access.log > >>> >> >> > Rule: 100288 (level 1) -> 'permit 404 "not found" ' > >>> >> >> > Src IP: 83.136.136.54 > >>> >> >> > www.besttech.lt 83.136.136.54 - - [27/Sep/2013:11:29:34 > +0300] "GET > >>> >> >> > > >>> >> >> > > >>> >> >> > /ads/content/banner/20121025221552-3803.swf?clickTAG= > http://www.besttech.lt/ads/?fwd=1811 > >>> >> >> > HTTP/1.1" 403 244 > >>> >> >> > " > http://www.siesuks.lv/receptes/majas-trte-a-varito-kremu-207841/"; > >>> >> >> > "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; > Trident/4.0; > >>> >> >> > SLCC2; > >>> >> >> > .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; > Media > >>> >> >> > Center > >>> >> >> > PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3) > >>> >> >> > > >>> >> >> > Alert is generated iin 2013 Sep 28 00:00:12, log file entry > >>> >> >> > 27/Sep/2013:11:29:34. > >>> >> >> > > >>> >> >> > >>> >> >> Did you reach the max email limit that hour? > >>> >> >> > >>> >> >> > As longer OSSEC runs, the delay gets larger. > >>> >> >> > > >>> >> >> > I searched for answer using search engines, but did not get any > >>> >> >> > answer. Can someone provide me some useful information, so I > can > >>> >> >> > resolve this case, please. > >>> >> >> > > >>> >> >> > Kind regards. > >>> >> >> > > >>> >> >> > -- > >>> >> >> > > >>> >> >> > --- > >>> >> >> > You received this message because you are subscribed to the > Google > >>> >> >> > Groups "ossec-list" group. > >>> >> >> > To unsubscribe from this group and stop receiving emails from > it, > >>> >> >> > send > >>> >> >> > an email to [email protected]. > >>> >> >> > For more options, visit > https://groups.google.com/groups/opt_out. > >>> >> >> > >>> >> >> -- > >>> >> >> > >>> >> >> --- > >>> >> >> You received this message because you are subscribed to the > Google > >>> >> >> Groups > >>> >> >> "ossec-list" group. > >>> >> >> To unsubscribe from this group and stop receiving emails from > it, send > >>> >> >> an > >>> >> >> email to [email protected]. > >>> >> >> For more options, visit https://groups.google.com/groups/opt_out > . > >>> >> > > >>> >> > > >>> >> > -- > >>> >> > > >>> >> > --- > >>> >> > You received this message because you are subscribed to the Google > >>> >> > Groups > >>> >> > "ossec-list" group. > >>> >> > To unsubscribe from this group and stop receiving emails from it, > send > >>> >> > an > >>> >> > email to [email protected]. > >>> >> > For more options, visit https://groups.google.com/groups/opt_out. > >>> >> > >>> >> -- > >>> >> > >>> >> --- > >>> >> You received this message because you are subscribed to the Google > Groups > >>> >> "ossec-list" group. > >>> >> To unsubscribe from this group and stop receiving emails from it, > send an > >>> >> email to [email protected]. > >>> >> For more options, visit https://groups.google.com/groups/opt_out. > >>> > > >>> > > >>> > -- > >>> > > >>> > --- > >>> > You received this message because you are subscribed to the Google > Groups > >>> > "ossec-list" group. > >>> > To unsubscribe from this group and stop receiving emails from it, > send an > >>> > email to [email protected]. > >>> > For more options, visit https://groups.google.com/groups/opt_out. > >>> > >>> -- > >>> > >>> --- > >>> You received this message because you are subscribed to the Google > Groups "ossec-list" group. > >>> To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > >>> For more options, visit https://groups.google.com/groups/opt_out. > >> > >> > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > For more options, visit https://groups.google.com/groups/opt_out. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
