On Wed, Aug 13, 2014 at 5:49 AM, kinomakino <[email protected]> wrote: > Thanks in advance. > I have a web server with more than 1000000 files which I want to monitor > with ossec to detect changes and especially file uploads (defacement) > I have problems with their operation, but I think it is some performance. > The problem is that sometimes rises detected, sometimes not, sometimes if > some directories and not others, etc. that is, it does not work well. > > Right now I restarted OSSEC and OSSIM am seeing alerts for new files, which > have long been on the server. > I guess as I rebooted, regenerating the index file or something. > I wonder if there is any way to monitor this index, to know when OSSEC has > stopped making it, and can prove up files. > > Furthermore, any recommendations for environments with MANY files? > Every few minutes it appears to me, after playing a few parameters in > internal_config: > ossec-AgentD: INFO: Event count after '70000': 23875908-> 18,339,568 (76%) > > Use the latest version of OSSEC on Centos 6.5 >
It sounds like a syscheck scan didn't complete or something. One million files is a lot. I don't know how to make sure OSSEC can handle that efficiently. Next time there appears to be a hangup, see if a scan is currently running. Make sure the agent is "connected" to the manager. > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
