I am in the middle of rolling out OSSEC in my organization. I have my server install on Ubuntu Server 14.04 running on a VMware ESXi host. Currently I've allocated 2 - 3GHz CPUs to this VM with 1GB of RAM (much more can be allocated if truly necessary). I aim to install OSSEC on about 300 workstations, but currently I only have it installed on about 30. At the moment I am seeing extremely high CPU utilization on the server where the ossec-analysisd process is maxing the CPU out at 100%.
It looks like the server is keeping up with alerts on the events it is receiving. If I sent an alert-able event to the server, I receive an email alert about 10 seconds later. How can I find out if the CPU is working too hard to handle all the events it is receiving or if it is something with the processing of the rules or something else entirely. I am using OSSEC in conjunction with Sysmon on my workstations. Sysmon is logging all networking and process creation events, so it can certainly generate a lot of events. I have about 70 rules in my local_rules.xml file and many of them process these Sysmon events. To rule out any other eventlog as a problem, I've disabled OSSEC from reading the Application, Security, and System eventlogs on all these computers (preferably only temporarily). What are some things I can do to find out what is causing such a high CPU utilization and whether or not this is expected load or if something is possible wrong with the setup? I am running one of the latest versions of OSSEC code available on github on both the server and workstations. Thanks for the assistance! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
