Hello, I'm having the same problem, I've a master OSSEC 2.8 (Linux) and just one client (OSSEC 2.7 FreeBSD), my client config looks lke this:
*# more ossec.conf* *<!-- OSSEC example config -->* *<ossec_config>* * <client>* * <server-ip>xxx.xxx.xxx.xxx</server-ip>* * </client>* *<localfile>* * <log_format>apache</log_format>* * <location>/expert/htlogs/xxxxxxx1.access.log</location>* * </localfile>* * <localfile>* * <log_format>apache</log_format>* * <location>/expert/htlogs/xxxxxxx2.access.log</location>* * </localfile>* *<localfile>* * <log_format>apache</log_format>* * <location>/expert/htlogs/xxxxxxx3.access.log</location>* * </localfile>* *</ossec_config>* With those 3 logs being sent to the master I've having the same delay that Rim's talks about, for example: *** Alert 1409739610.133748: - apache,* *2014 Sep 03 12:20:10 (client-server) xxx.xxx.xxx.xxx->/expert/htlogs/xxxxxxxxx2.access.log* *Rule: 666004 (level 2) -> 'Acceso a la subida de archivos de Joomla.'* *Src IP: 62.193.235.191* *xxxxxxxxxxx|xxx.xxx.xxx.xxx - - [03/Sep/2014:11:50:10 +0200] "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1" 400 0 "-" "BOT/0.1 (BOT for JCE)"* With one configured it works fine, the delay isn't constant, sometimes is 2 hours, sometimes 2 minutes.... and it doesn't correlate to number of request in the logs either..... On Thursday, October 24, 2013 5:19:45 PM UTC+2, Michael Starks wrote: > > On 24.10.2013 01:36, rim bulls wrote: > > > Do someone have any experience with handling large numbers of EPS? Is > > there some tuning has to be done? > > Very sorry for my english :( > > Have Sun! > > I have personally tested OSSEC up to 5000 EPS and it didn't drop > anything. I know of one environment with 20k agents, which surely > receives more than that. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
