Yes. It seems like the load is back down again on the server. I don't know for 100%, but I have a pretty good idea as to what was causing it. I turned each agent off one at a time and the load gradually went down. So I know it wasn't just one agent causing all the problems. Like I said, I was using Sysmon to monitor process creations and network connections. Looking at one of my agents, I was seeing a ton of network connection events from Sysmon and most of them were unnecessary events (NetBIOS, LLMNR, SSDP, etc). So I disabled Network Discovery on all my Windows machines and blocked all outbound connections for those services. There was a ton of NetBIOS broadcasts etc. After doing that, the network chatter stopped and now there aren't as many network connection events. I think the OSSEC server was just overloaded with them all.
Seems to be working better now. I'll keep an eye on it as I deploy more agents out. Thanks. On Thursday, June 18, 2015 at 11:10:47 PM UTC-4, SoulAuctioneer wrote: > > Are you using the syscheck FIM stuff at all? > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
