Hi, We have an OSSEC server that processes logdata from a central logserver. The central logserver collects data from around 50 nodes.
OSSEC is configured to monitor 8 different logfiles from the central logserver. In the logs we see that the logcollector is picking up those 8 files. The logfiles fill up with logdata rather quickly, 50 nodes produce a lot of data. The problem is that the logcollector sticks with 1 logfile if that logfile fills up with logdata quickly and doesn't process the other files. If we disable the 2 logfiles that fill up quickly, the logcollector processes the other files just fine. The load on the OSSEC server is low, almost zero. So the logcollector should have plenty of performance to process all the logfiles, also the larger ones. Instead it sticks with 1 file and starts to lag behind. Is there a way to make the logcollector process all files and make sure it doesn't lag behind? Or is there a way to investigate the problem better/deeper? We've put the debugging on, analyzed the IO-stats, resources, tried different setups, searched thru the documentation but could not find a solution. Thanks in advance! Greetings, Arnoud. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
