We are running a few thousand servers with the OSSEC agents feeding data into two servers. At times Active Response will be blocking upwards of 500 ips. One problem that I've encountered is when restarting ossec on the agents, it will trigger a script run of host-deny.sh and firewall-drop.sh for every IP that is blocked. This puts significant load on the system and can cause performance issues in production.
Any ideas on how to work around this? I've been holding off on a config change for a few weeks now as I don't want to trigger load alerts on all of our servers. --Josh -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
