Thanks Michael. I enabled the 'logall' global option and noticed that the
events were object access events. I modified the Windows audit policy to
exclude successful object access events and I am now seeing a much much
less traffic from the Windows agent.
<global>
...
...
<logall>yes</logall>
</global>
On Wednesday, April 16, 2014 11:37:09 AM UTC-4, Michael Starks wrote:
>
> On 2014-04-16 9:07, Joe60 wrote:
> > Hello,
> >
> > I am trying to assess how much bandwidth is consumed between a Windows
> > agent and the OSSEC server under normal operating conditions.
> >
> > I am seeing continuous chatter from a Windows agent to the OSSEC
> > server on UDP port 1514 every 4 seconds.
>
> The Windows agent, like all OSSEC agents, will send every log to the
> manager to be analyzed. If you have a sense for your log volume and
> average log size, you can get an idea for how much bandwidth might be
> used. OSSEC does compress the traffic, so depending on how much
> compressable information is in the log, you might see about 1/10th of
> the actual log size being transferred.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
