On Thu, Feb 6, 2014 at 6:22 AM, Arnoud Assenberg <[email protected]> wrote: > Hi, > > We have an OSSEC server that processes logdata from a central logserver. > The central logserver collects data from around 50 nodes. > > OSSEC is configured to monitor 8 different logfiles from the central > logserver. > > In the logs we see that the logcollector is picking up those 8 files. > The logfiles fill up with logdata rather quickly, 50 nodes produce a lot > of data. > > The problem is that the logcollector sticks with 1 logfile if that > logfile fills up with logdata quickly and doesn't process the other > files. If we disable the 2 logfiles that fill up quickly, the > logcollector processes the other files just fine. > > The load on the OSSEC server is low, almost zero. So the logcollector > should have plenty of performance to process all the logfiles, also the > larger ones. Instead it sticks with 1 file and starts to lag behind. > > Is there a way to make the logcollector process all files and make sure > it doesn't lag behind? Or is there a way to investigate the problem > better/deeper? We've put the debugging on, analyzed the IO-stats, > resources, tried different setups, searched thru the documentation but > could not find a solution. >
How many EPS are you seeing in the problem log files? You could try tracing ossec-logcollector to see if that gives you any hints. > > Thanks in advance! > > Greetings, > Arnoud. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
