Any feedback on this? or similar case even on other platform? That's really annoying for testing on a small configuration (especially when it's your own laptop). Can't leave it active all the time, else the whole box is damn slow.
Thanks Julien 2014-03-11 21:13 GMT-04:00 Julien T <[email protected]>: > Hello, > > another point, I need to discuss on the list is the cpu usage of ossec. On > my test mac, it is often eating 50-90% of CPU. > After some tracking, it seems ossec-analysisd is responsible for it and w > dtrace [1], it can be located like this > > # dtrace -n 'syscall:::entry { @num[execname] = count(); }' > [...] > dbfseventsd 509 > ocspd 670 > ossec-syscheckd 1328 > Google Drive 1336 > Google Chrome C 4961 > Google Chrome H 40300 > ossec-analysisd 1113498 > # dtrace -n 'syscall:::entry { @num[probefunc] = count(); }' > [...] > psynch_cvwait 17496 > sigaltstack 18142 > sigprocmask 18144 > kevent 25687 > read_nocancel 2157214 > # readid.d ossec-analysisd 15s > dtrace: 14240 dynamic variable drops with non-empty dirty list > Sampling for 15s ... Please wait. > [...] > PROGRAM PID COUNT > ossec-analysisd 47205 115635 > # readfile.d ossec-analysisd 60s > [...] > FILE NAME > COUNT > 'localtime > ' ' 7' > 'syscheck > ' ' 110891' > # rwsnoop -n ossec-analysisd > confirms an almost content call on those files of ${prefix}/var/ossec > /etc/localtime > /opt/local/var/ossec/queue/syscheck/syscheck > > not sure, why the first is needed multiple time. the latter seems to > contains hash of files. > > In my config, syscheck is <frequency>72000</frequency> (default) > is there an option to know how much time the full syscheck takes or to > renice it? > I was supposing after the first big initial scans, things to be more > light, but it doesn't seem so. > > Another anomaly is the process name: in Activity monitor, it's empy, while > in 'ps'/cli, it's complete for ossec-analysisd, ossec-syscheck > check: ps -p <pid> -o pid,command,comm,args,ucomm and all are set right > The following explanations didn't seem relevant to me for a pure unix app > or is there some stealth mode? > > http://stackoverflow.com/questions/4217947/setting-process-name-on-mac-os-x-at-runtime > > http://stackoverflow.com/questions/1046155/blank-process-name-for-osx-cocoa-application > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
