Hello again, I updated the client to 2.8 so now both the server and the client are the same version and still get the delay.
:/ On Thursday, September 4, 2014 8:12:28 AM UTC+2, Koldo Aingeru wrote: > > Hello, > > I'm having the same problem, I've a master OSSEC 2.8 (Linux) and just one > client (OSSEC 2.7 FreeBSD), my client config looks lke this: > > > *# more ossec.conf* > *<!-- OSSEC example config -->* > > *<ossec_config>* > * <client>* > * <server-ip>xxx.xxx.xxx.xxx</server-ip>* > * </client>* > > *<localfile>* > * <log_format>apache</log_format>* > * <location>/expert/htlogs/xxxxxxx1.access.log</location>* > * </localfile>* > > * <localfile>* > * <log_format>apache</log_format>* > * <location>/expert/htlogs/xxxxxxx2.access.log</location>* > * </localfile>* > > *<localfile>* > * <log_format>apache</log_format>* > * <location>/expert/htlogs/xxxxxxx3.access.log</location>* > * </localfile>* > > > *</ossec_config>* > > > With those 3 logs being sent to the master I've having the same delay that > Rim's talks about, for example: > > *** Alert 1409739610.133748: - apache,* > *2014 Sep 03 12:20:10 (client-server) > xxx.xxx.xxx.xxx->/expert/htlogs/xxxxxxxxx2.access.log* > *Rule: 666004 (level 2) -> 'Acceso a la subida de archivos de Joomla.'* > *Src IP: 62.193.235.191* > *xxxxxxxxxxx|xxx.xxx.xxx.xxx - - [03/Sep/2014:11:50:10 +0200] "POST > /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b > > HTTP/1.1" 400 0 "-" "BOT/0.1 (BOT for JCE)"* > > With one configured it works fine, the delay isn't constant, sometimes is > 2 hours, sometimes 2 minutes.... and it doesn't correlate to number of > request in the logs either..... > > On Thursday, October 24, 2013 5:19:45 PM UTC+2, Michael Starks wrote: >> >> On 24.10.2013 01:36, rim bulls wrote: >> >> > Do someone have any experience with handling large numbers of EPS? Is >> > there some tuning has to be done? >> > Very sorry for my english :( >> > Have Sun! >> >> I have personally tested OSSEC up to 5000 EPS and it didn't drop >> anything. I know of one environment with 20k agents, which surely >> receives more than that. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
