On Friday, December 9, 2016 at 12:30:08 AM UTC-5, dan (ddpbsd) wrote: > > > > On Dec 8, 2016 4:41 PM, "Chris Decker" <[email protected] > <javascript:>> wrote: > > All, > > I have an OSSEC instance (running the latest/greatest Wuzuh code cloned > from GitHub) that has about 1k active hosts. I've noticed recently that > hosts are flipping back and forth between *Active* and *Disconnected*. > > > Perhaps the manager is too busy? I can't remember the host limit offhand, > but I believe ossec limits the number of agents to a number smaller than > 1000. >
My Manager was compiled to support a maximum of 20480 agents (and I confirmed that this is reflected in the Manager's ossec.log [1]). It is possible that the Manager is too busy, but I would expect that CPU would be the limiting factor, but I haven't witnessed that; remoted CPU usage is less than 5% and analysisd usually hovers around 75%. > > > I've also noticed that not all of the log messages from "*Active" *hosts > are being received by the Manager. For example, I have an agent that > generates the same log message every second. I have debug enabled on the > Agent and I can see logcollector reading each message, but only *some* of > the messages are received on the Manager (I monitored it for awhile and > it's not that the messages show up later due to network congestion--I don't > see the messages ever being received). I tried disabling the agent ID > checks on both the Manager and Agent but that didn't have any impact. > > > Ossec will discard some repeated messages. I forget the timeframe offhand > though. > The messages that auditd is generating are unique enough (e.g. they have a unique timestamp and audit ID) that I assumed (yeah, I know!) OSSEC wouldn't throw those messages away. > > > > I suspect there is a misconfiguration or limit I am running into on my > Manager running RHEL 7, but I haven't been able to track it down. I did a > simple netcat test between the same two hosts and there was no lag in > transmissions. > > Any suggestions/thoughts from the community? > > > > > Thanks, > Chris > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
