Hello, I am trying to assess how much bandwidth is consumed between a Windows agent and the OSSEC server under normal operating conditions.
I am seeing continuous chatter from a Windows agent to the OSSEC server on UDP port 1514 every 4 seconds. 09:28:53.357655 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 409 09:28:53.357665 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 409 09:28:53.357706 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 409 09:28:53.357903 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 409 09:28:57.382126 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 409 09:28:57.382319 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 401 09:28:57.382502 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 409 09:28:57.382692 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 409 09:29:01.406947 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 409 09:29:01.407135 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 345 09:29:01.407310 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 393 09:29:01.407494 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 393 09:29:01.407673 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 393 09:29:01.407853 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 385 09:29:01.408046 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 409 09:29:01.408227 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 393 09:29:01.408401 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 393 09:29:01.408577 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 385 09:29:01.408753 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 393 09:29:01.408925 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 345 09:29:01.409118 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 409 09:29:01.409289 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 345 09:29:05.431749 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 409 09:29:05.431937 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 409 09:29:05.432146 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 409 09:29:05.432332 IP 192.168.1.141.49591 > 192.168.1.145.fujitsu-dtcns: UDP, length 401 The client log states that it is sending keepalive messages about every 6-7 minutes but nothing else. 2014/04/16 08:50:49 ossec-agent Sending keep alive message.... 2014/04/16 08:57:32 ossec-agent Sending keep alive message.... 2014/04/16 09:04:15 ossec-agent Sending keep alive message.... 2014/04/16 09:10:58 ossec-agent Sending keep alive message.... 2014/04/16 09:17:40 ossec-agent Sending keep alive message.... 2014/04/16 09:24:23 ossec-agent Sending keep alive message.... 2014/04/16 09:31:05 ossec-agent Sending keep alive message.... 2014/04/16 09:37:48 ossec-agent Sending keep alive message.... 2014/04/16 09:44:30 ossec-agent Sending keep alive message.... 2014/04/16 09:51:13 ossec-agent Sending keep alive message.... 2014/04/16 09:57:55 ossec-agent Sending keep alive message.... I enabled debug level 2 for all cases on the server but not seeing anything more recorded in ossec.log. Can anybody shed some light on what this chatter is all about? Thanks. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
