Thanks for the follow up we are collecting sysmon using event forwarding in windows from ~300 host with no issues but have not turned on network connections and will watch for the network discovery when we do.
On Friday, June 19, 2015 at 6:48:33 AM UTC-6, [email protected] wrote: > > Yes. It seems like the load is back down again on the server. I don't know > for 100%, but I have a pretty good idea as to what was causing it. I turned > each agent off one at a time and the load gradually went down. So I know it > wasn't just one agent causing all the problems. Like I said, I was using > Sysmon to monitor process creations and network connections. Looking at one > of my agents, I was seeing a ton of network connection events from Sysmon > and most of them were unnecessary events (NetBIOS, LLMNR, SSDP, etc). So I > disabled Network Discovery on all my Windows machines and blocked all > outbound connections for those services. There was a ton of NetBIOS > broadcasts etc. After doing that, the network chatter stopped and now there > aren't as many network connection events. I think the OSSEC server was just > overloaded with them all. > > Seems to be working better now. I'll keep an eye on it as I deploy more > agents out. Thanks. > > On Thursday, June 18, 2015 at 11:10:47 PM UTC-4, SoulAuctioneer wrote: >> >> Are you using the syscheck FIM stuff at all? >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
