[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: Re: [ossec-list] UDP 514 receive queue unusually high
From: Jeremy Lee <jplee3 () gmail ! com>
Date: 2009-12-17 19:38:13
Message-ID: 8583839e0912171138w79513843v1ff7729bb990d349 () mail ! gmail ! com
[Download RAW message or body]
Make sure there are no hardware firewall restrictions either. Do you have
ACLs setup? I had issues with this previously because OSSEC requires the
session state. If there are any firewall rules (software OR hardware). It's
probably best to allow all between the OSSEC server and agent(s) at least
temporarily for testing to see if that might be where the bottleneck is.
On Thu, Dec 17, 2009 at 11:06 AM, PECKENPAUGH, DEREK R <
drpeckenpaugh@oppd.com> wrote:
> Thanks for the reply. No, the systems are the same, and the syslog
> software is the default installed. I don't think we've got any software
> firewall issues, but I'll check further into that. After restarting the
> syslog daemon it only took seconds to ramp up the queue again, and at the
> moment it's 10 times what it was before.
>
> __________________________________
> Derek R. Peckenpaugh
> Information Protection
> 636.2372
>
>
> -----Original Message-----
> From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On
> Behalf Of dan (ddp)
> Sent: Wednesday, December 16, 2009 1:36 PM
> To: ossec-list@googlegroups.com
> Subject: Re: [ossec-list] UDP 514 receive queue unusually high
>
> Are the two systems (ossec server that worked and the server that does
> not) different? Which syslog software is running on each? Is there a
> software firewall on the server that doesn't work? Have you tried
> restarting the syslog daemon?
>
> On Wed, Dec 16, 2009 at 1:00 PM, PECKENPAUGH, DEREK R
> <drpeckenpaugh@oppd.com> wrote:
> > Yes, we've done a dump. And when we move a system from this ossec server
> to another, we get alerts written like we want. I'm trying not to reinstall
> ossec on this box, but that might be the answer. We can't figure out how to
> drain that queue.
> >
> > Thanks,
> > Doc
> >
> >
>
> This e-mail contains Omaha Public Power District's confidential and
> proprietary information and is for use only by the intended recipient.
> Unless explicitly stated otherwise, this e-mail is not a contract offer,
> amendment, nor acceptance. If you are not the intended recipient you are
> notified that disclosing, copying, distributing or taking any action in
> reliance on the contents of this information is strictly prohibited.
>
>
[Attachment #3 (text/html)]
Make sure there are no hardware firewall restrictions either. Do you have ACLs setup? \
I had issues with this previously because OSSEC requires the session state. If there \
are any firewall rules (software OR hardware). It's probably best to allow all \
between the OSSEC server and agent(s) at least temporarily for testing to see if that \
might be where the bottleneck is.<br> <br><br><br><div class="gmail_quote">On Thu, \
Dec 17, 2009 at 11:06 AM, PECKENPAUGH, DEREK R <span dir="ltr"><<a \
href="mailto:drpeckenpaugh@oppd.com">drpeckenpaugh@oppd.com</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, \
204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Thanks for the reply. No, the \
systems are the same, and the syslog software is the default installed. I don't \
think we've got any software firewall issues, but I'll check further into \
that. After restarting the syslog daemon it only took seconds to ramp up the queue \
again, and at the moment it's 10 times what it was before.<br>
<br>
__________________________________<br>
<font color="#888888">Derek R. Peckenpaugh<br>
Information Protection<br>
636.2372<br>
</font><div class="im"><br>
<br>
-----Original Message-----<br>
From: <a href="mailto:ossec-list@googlegroups.com">ossec-list@googlegroups.com</a> \
[mailto:<a href="mailto:ossec-list@googlegroups.com">ossec-list@googlegroups.com</a>] \
On Behalf Of dan (ddp)<br>
Sent: Wednesday, December 16, 2009 1:36 PM<br>
To: <a href="mailto:ossec-list@googlegroups.com">ossec-list@googlegroups.com</a><br>
Subject: Re: [ossec-list] UDP 514 receive queue unusually high<br>
<br>
</div><div><div></div><div class="h5">Are the two systems (ossec server that worked \
and the server that does<br> not) different? Which syslog software is running on \
each? Is there a<br> software firewall on the server that doesn't work? Have you \
tried<br> restarting the syslog daemon?<br>
<br>
On Wed, Dec 16, 2009 at 1:00 PM, PECKENPAUGH, DEREK R<br>
<<a href="mailto:drpeckenpaugh@oppd.com">drpeckenpaugh@oppd.com</a>> wrote:<br>
> Yes, we've done a dump. And when we move a system from this ossec server \
to another, we get alerts written like we want. I'm trying not to reinstall \
ossec on this box, but that might be the answer. We can't figure out how to \
drain that queue.<br>
><br>
> Thanks,<br>
> Doc<br>
><br>
><br>
<br>
</div></div><div><div></div><div class="h5">This e-mail contains Omaha Public Power \
District's confidential and proprietary information and is for use only by the \
intended recipient. Unless explicitly stated otherwise, this e-mail is not a \
contract offer, amendment, nor acceptance. If you are not the intended recipient \
you are notified that disclosing, copying, distributing or taking any action in \
reliance on the contents of this information is strictly prohibited.<br>
<br>
</div></div></blockquote></div><br>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic