On Thu, Feb 6, 2014 at 11:08 AM, Arnoud Assenberg <[email protected]> wrote: > On 06-02-14 14:15, dan (ddp) wrote: >> On Thu, Feb 6, 2014 at 6:22 AM, Arnoud Assenberg >> <[email protected]> wrote: >>> Hi, >>> >>> We have an OSSEC server that processes logdata from a central logserver. >>> The central logserver collects data from around 50 nodes. >>> >>> OSSEC is configured to monitor 8 different logfiles from the central >>> logserver. >>> >>> In the logs we see that the logcollector is picking up those 8 files. >>> The logfiles fill up with logdata rather quickly, 50 nodes produce a lot >>> of data. >>> >>> The problem is that the logcollector sticks with 1 logfile if that >>> logfile fills up with logdata quickly and doesn't process the other >>> files. If we disable the 2 logfiles that fill up quickly, the >>> logcollector processes the other files just fine. >>> >>> The load on the OSSEC server is low, almost zero. So the logcollector >>> should have plenty of performance to process all the logfiles, also the >>> larger ones. Instead it sticks with 1 file and starts to lag behind. >>> >>> Is there a way to make the logcollector process all files and make sure >>> it doesn't lag behind? Or is there a way to investigate the problem >>> better/deeper? We've put the debugging on, analyzed the IO-stats, >>> resources, tried different setups, searched thru the documentation but >>> could not find a solution. >>> >> How many EPS are you seeing in the problem log files? >> You could try tracing ossec-logcollector to see if that gives you any hints. > > The log files fill up with about 250-400 entries per second. > Tracing the ossec-logcollector was a good idea, i've connected truss to > the ossec-logcollector, this gave me entries about a missing .wait file > but that turned out to be a lockfile. I couldn't find other errors, the > collector just does its job, but not fast enough. > > Am i not missing a sleep/wait/grace setting for the collector? Or a > setting that spawns multiple ossec-logcollectors? Only thing i found in > the ossec.log was "ossec-logcollector: INFO: (unix_domain) Maximum send > buffer set to: '6400'". No idea if that is to low or to high or of no > relevance at all. >
There's no real tuning for ossec-logcollector. No one has ever mentioned having this problem (to my knowledge). Multiple ossec-logcollectors might be the only real solution at this time. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
