On Wed, Dec 20, 2017 at 4:48 AM, Sylvain Crouet <[email protected]> wrote: > Hello, > > > > I updated the shared agent.conf file to discard some Windows events. But I > notice that Windows 2.9.0 agents do not receive this shared configuration > file, while 2.8.3 and 2.9.2 do. Below is the ouput of deployment checking > script: >
There were some issues with Windows transferring files (had to be in binary mode or something?). I can't remember off hand when it was fixed exactly. > Current version: c0db7baf32df4a94479756bd6a8c2e63 > > 001 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 002 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 003 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 004 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 005 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 007 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 008 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 009 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 010 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 011 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 012 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 013 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 014 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 015 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 016 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 017 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 018 v2.9.0/3757083ea8656e6141cafb893b55488b NOK > > 019 v2.9.0/3757083ea8656e6141cafb893b55488b NOK > > 022 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 023 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK > > 024 v2.9.0 NOK > > 025 v2.9.0 NOK > > > > The OSSEC server version is 2.9.2. > > Any idea? > > > > Cordialement / Regards > > > > Sylvain Crouet > > Security Officer - Security is everybody’s responsibility > > Mobile +33 (0) 7 75 24 10 28 > > > > From: [email protected] [mailto:[email protected]] On > Behalf Of Sylvain Crouet > Sent: mardi 19 décembre 2017 17:24 > To: [email protected] > Subject: RE: [ossec-list] Re: ossec-remoted high CPU > > > > Done, very informative indeed. Thank you Brett. > > > > Cordialement / Regards > > > > Sylvain Crouet > > Security Officer - Security is everybody’s responsibility > > Mobile +33 (0) 7 75 24 10 28 > > > > From: [email protected] [mailto:[email protected]] On > Behalf Of Brett Simpson > Sent: mardi 19 décembre 2017 14:42 > To: [email protected] > Subject: Re: [ossec-list] Re: ossec-remoted high CPU > > > > Do <logall>true</logall> inside your global ossec.conf directive on the > ossec server. This will log everything to > /var/ossec/logs/archives/archives.log. I would do that for 5 minutes then > disable it and look though that archive to see what is showing up. > > > > On Tue, Dec 19, 2017 at 8:35 AM, Sylvain Crouet > <[email protected]> wrote: > > Hello, > > > > How can I identify the agent on which I should do that? I already stopped > the most verbose agents, and there is no change on CPU. > > > > Cordialement / Regards > > > > Sylvain Crouet > > Security Officer - Security is everybody’s responsibility > > Mobile +33 (0) 7 75 24 10 28 > > > > From: [email protected] [mailto:[email protected]] On > Behalf Of Brett Simpson > Sent: jeudi 14 décembre 2017 18:38 > To: ossec-list <[email protected]> > Subject: [ossec-list] Re: ossec-remoted high CPU > > > > I would suggest you turn on debug on one of the agents and see what the > agent is trying to send versus what the server actually keeps. I had issues > with a few event IDs generating thousands of events per second that weren't > even used by the ossec server so I used a line like this on the agent to > drop them without sending. > > > > <localfile> > > <location>Application</location> > > <log_format>eventchannel</log_format> > > <query>Event/System[EventID != 256] and Event/System[EventID != > 258]</query> > > </localfile> > > > > <localfile> > > <location>Security</location> > > <log_format>eventchannel</log_format> > > <query>Event/System[EventID != 4656] and Event/System[EventID != 4658] > and Event/System[EventID != 4670] and Event/System[EventID != 4672] and > Event/System[EventID != 4688] and Event/System[EventID != 4689] and > Event/System[EventID != 4690] and Event/System[EventID != 5152] and > Event/System[EventID != 5156] and Event/System[EventID != 5158] and > Event/System[EventID != 5447]</query> > > </localfile> > > > > <localfile> > > <location>System</location> > > <log_format>eventchannel</log_format> > > <query>Event/System[EventID!=7000]</query> > > </localfile> > > > > > On Tuesday, December 12, 2017 at 10:04:55 AM UTC-5, Sylvain Crouet wrote: > > Hello, > > > > One of my OSSEC server is always busy (100% CPU) for some days, with > ossec-remoted between 90% and 100% CPU. This server manages about 65 agents > only. What can explain this high CPU utilization and how can I solve it? I > already restarted OSSEC services and the whole server. > > > > Cordialement / Kind regards > > > > Sylvain Crouet > > Security Officer - Security is everybody’s responsibility > > Mobile +33 (0) 7 75 24 10 28 > > > > > > Neocase™ Software is a leading provider of integrated HR and Finance service > delivery solutions. > > www.neocasesoftware.com > > > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to a topic in the > Google Groups "ossec-list" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/ossec-list/ZzcTfmQTaXE/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > For more options, visit https://groups.google.com/d/optout. > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
