Hi Pedro, I will set-up the OSSEC sleep to 0 (syscheck.sleep). When you set sleep to 0, what value do you set for syscheck.sleep_after? Do you set that to 0 as well?
I will also set the frequency that syscheck is executed to about 600 seconds or so to be on the safe side and then test for 500, and then 400. Cheers On Tuesday, 28 June 2016 08:10:12 UTC+1, Pedro S wrote: > > Hi Tahir, > > We have been experimenting with those values of syscheck, I can tell you > it's like SUPER FAST when you set sleep to 0, I have some videos recorded > about how can OSSEC completes a 3000 files database in few seconds. > On my tests OSSEC can works with 0 sleep but be aware because the agent > will consume all the CPU in few seconds. The agent must no to cause any > risk to the endpoint, that's why sleeps is used sometimes to prevent the > Agent to collapse the CPU. > > Regarding to the frequency, right now OSSEC has a 300 seconds(here > <https://github.com/wazuh/ossec-wazuh/blob/ef7a1d113183fcf8f83bd9022d724ddb9228ce94/src/syscheckd/run_check.c#L297>) > > sleep on Syscheck, so <frequency> must be set to a minimum of 300s (I > recommend a little bit more seconds or lower the hardcoded sleep). > > Best regards, > > Pedro S. > > > On Mon, Jun 27, 2016 at 7:01 AM, Tahir Hafiz <[email protected] > <javascript:>> wrote: > >> We are looking at performance testing/tuning OSSEC. >> As many of you are aware there is a configuration option in OSSEC's >> internal_options.conf file for changing the following: >> >> syscheck.sleep=2 >> >> >> >> >> syscheck.sleep_after=15 >> >> I am wondering if anyone has modified these parameters and to what effect >> long-term? >> Is it safe to set these to syscheck.sleep to zero and syscheck.sleep to >> 128 long term? >> >> >> Also, within the ossec.conf file itself there is a syscheck paramater for >> "frequency", we have changed this to half an hour (1800 seconds), >> is it safe to change this to 10 minutes (600 seconds) in the long term? >> >> Cheers >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
