'Re: [ossec-list] ossec-execd 100% cpu usage on CentOS 7'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-list
Subject:    Re: [ossec-list] ossec-execd 100% cpu usage on CentOS 7
From:       "dan (ddp)" <ddpbsd () gmail ! com>
Date:       2014-08-27 20:47:49
Message-ID: CAMyQvMr4QZficKe=h9x47JBMPauyK2=Omy8aMzH34rs=vpkFBw () mail ! gmail ! com
[Download RAW message or body]

On Tue, Aug 26, 2014 at 4:28 PM, Jeroen Beerstra
<jeroen.beerstra@gmail.com> wrote:
> No no, you didn't. I mean if there is a bigger problem, for example with
> firewalld (being enabled by default) I expect more complaints about this.
> Have seen other problems with it, also with systemd....
> 

I'm in the camp that sees systemd as a problem... :-P

> Op dinsdag 26 augustus 2014 21:59:04 UTC+2 schreef dan (ddpbsd):
> > 
> > On Tue, Aug 26, 2014 at 2:38 PM, Jeroen Beerstra
> > <jeroen....@gmail.com> wrote:
> > > Lets hope so :)
> > > 
> > > I wouldn't call RHEL7 hardly relevant ;) But perhaps it's justy
> > > something
> > > specific to my setup, haven't been able to figure out what exactly ....
> > > Been
> > > using ossec for years now and so far it just worked(tm).
> > > 
> > 
> > I don't remember saying RHEL 7 was "hardly relevant." If I did, I
> > retract the statement immediately.
> > 
> > > Op dinsdag 26 augustus 2014 20:22:32 UTC+2 schreef dan (ddpbsd):
> > > > 
> > > > On Tue, Aug 26, 2014 at 10:52 AM, Jeroen Beerstra
> > > > <jeroen....@gmail.com> wrote:
> > > > > Will check later but IIRC just the defaults, there is noting strange
> > > > > in
> > > > > the
> > > > > logs except:
> > > > > 
> > > > > - there is an entry for adding a host to /etc/hosts.deny
> > > > > - there is an entry for adding a host to the Linux iptables table
> > > > > - there is an entry 10 min later for deleteting a host from
> > > > > /etc/hosts.deny
> > > > > then there is nothing but ossec-execd consuming all resources on one
> > > > > cpu
> > > > > 
> > > > > In RHEL 7 they changed from just a static iptables script with config
> > > > > tools
> > > > > to firewalld with an dynamic api and tools, so I was wondering if
> > > > > this
> > > > > could
> > > > > be the reason for my problem.
> > > > > 
> > > > 
> > > > It's possible. I don't know if anyone's done much testing with that
> > > > stuff.
> > > > 
> > > > > 
> > > > > Op dinsdag 26 augustus 2014 14:59:31 UTC+2 schreef dan (ddpbsd):
> > > > > > 
> > > > > > On Mon, Aug 25, 2014 at 9:24 AM, Jeroen Beerstra
> > > > > > <jeroen....@gmail.com> wrote:
> > > > > > > I recently installed ossec on my fresh CentOS 7 machine and now
> > > > > > > execd
> > > > > > > consumes all resources on one core every now and then (at least
> > > > > > > once
> > > > > > > a
> > > > > > > day
> > > > > > > most times sooner). Could this be a problem with firewalld that is
> > > > > > > included
> > > > > > > (and enabled by default) with RHEL7? Don't see much in the logs
> > > > > > > but I
> > > > > > > did
> > > > > > > notice blocked hosts are cleared from /etc/hosts.deny but not
> > > > > > > always
> > > > > > > from
> > > > > > > iptables, which leads me to the former question.
> > > > > > > 
> > > > > > > So far all I can do is "killl -9 `pidoff ossec-execd`; systemctl
> > > > > > > restart
> > > > > > > ossec-hids.service"
> > > > > > > 
> > > > > > 
> > > > > > 
> > > > > > Is it just ossec-execd? What's your AR configuration? Are there a
> > > > > > lot
> > > > > > of entries in active-response.log during the times it spikes? Check
> > > > > > for the scripts you have enabled in the current process list. Are
> > > > > > there a lot?
> > > > > > 
> > > > > > > regards,
> > > > > > > 
> > > > > > > Jeroen Beerstra
> > > > > > > 
> > > > > > > --
> > > > > > > 
> > > > > > > ---
> > > > > > > You received this message because you are subscribed to the Google
> > > > > > > Groups
> > > > > > > "ossec-list" group.
> > > > > > > To unsubscribe from this group and stop receiving emails from it,
> > > > > > > send
> > > > > > > an
> > > > > > > email to ossec-list+...@googlegroups.com.
> > > > > > > For more options, visit https://groups.google.com/d/optout.
> > > > > 
> > > > > --
> > > > > 
> > > > > ---
> > > > > You received this message because you are subscribed to the Google
> > > > > Groups
> > > > > "ossec-list" group.
> > > > > To unsubscribe from this group and stop receiving emails from it,
> > > > > send
> > > > > an
> > > > > email to ossec-list+...@googlegroups.com.
> > > > > For more options, visit https://groups.google.com/d/optout.
> > > 
> > > --
> > > 
> > > ---
> > > You received this message because you are subscribed to the Google
> > > Groups
> > > "ossec-list" group.
> > > To unsubscribe from this group and stop receiving emails from it, send
> > > an
> > > email to ossec-list+...@googlegroups.com.
> > > For more options, visit https://groups.google.com/d/optout.
> 
> --
> 
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic