Done, very informative indeed. Thank you Brett. Cordialement / Regards
Sylvain Crouet Security Officer - Security is everybody’s responsibility Mobile +33 (0) 7 75 24 10 28 From: [email protected] [mailto:[email protected]] On Behalf Of Brett Simpson Sent: mardi 19 décembre 2017 14:42 To: [email protected] Subject: Re: [ossec-list] Re: ossec-remoted high CPU Do <logall>true</logall> inside your global ossec.conf directive on the ossec server. This will log everything to /var/ossec/logs/archives/archives.log. I would do that for 5 minutes then disable it and look though that archive to see what is showing up. On Tue, Dec 19, 2017 at 8:35 AM, Sylvain Crouet <[email protected]<mailto:[email protected]>> wrote: Hello, How can I identify the agent on which I should do that? I already stopped the most verbose agents, and there is no change on CPU. Cordialement / Regards Sylvain Crouet Security Officer - Security is everybody’s responsibility Mobile +33 (0) 7 75 24 10 28 From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Brett Simpson Sent: jeudi 14 décembre 2017 18:38 To: ossec-list <[email protected]<mailto:[email protected]>> Subject: [ossec-list] Re: ossec-remoted high CPU I would suggest you turn on debug on one of the agents and see what the agent is trying to send versus what the server actually keeps. I had issues with a few event IDs generating thousands of events per second that weren't even used by the ossec server so I used a line like this on the agent to drop them without sending. <localfile> <location>Application</location> <log_format>eventchannel</log_format> <query>Event/System[EventID != 256] and Event/System[EventID != 258]</query> </localfile> <localfile> <location>Security</location> <log_format>eventchannel</log_format> <query>Event/System[EventID != 4656] and Event/System[EventID != 4658] and Event/System[EventID != 4670] and Event/System[EventID != 4672] and Event/System[EventID != 4688] and Event/System[EventID != 4689] and Event/System[EventID != 4690] and Event/System[EventID != 5152] and Event/System[EventID != 5156] and Event/System[EventID != 5158] and Event/System[EventID != 5447]</query> </localfile> <localfile> <location>System</location> <log_format>eventchannel</log_format> <query>Event/System[EventID!=7000]</query> </localfile> On Tuesday, December 12, 2017 at 10:04:55 AM UTC-5, Sylvain Crouet wrote: Hello, One of my OSSEC server is always busy (100% CPU) for some days, with ossec-remoted between 90% and 100% CPU. This server manages about 65 agents only. What can explain this high CPU utilization and how can I solve it? I already restarted OSSEC services and the whole server. Cordialement / Kind regards Sylvain Crouet Security Officer - Security is everybody’s responsibility Mobile +33 (0) 7 75 24 10 28 [Image removed by sender. Logo-Neocase-RGB-TM-TAGLINE-mail-signature] Neocase™ Software is a leading provider of integrated HR and Finance service delivery solutions. www.neocasesoftware.com<http://www.neocasesoftware.com/> [Image removed by sender. workday_azure_partners_300dpi_1cm5] -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/ZzcTfmQTaXE/unsubscribe. To unsubscribe from this group and all its topics, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
