[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-list
Subject: [ossec-list] Re: ossec-remoted Process Pegged at 100%
From: grant () castraconsulting ! com
Date: 2014-12-17 15:01:51
Message-ID: 6f3ebbe9-a572-48b0-af36-a96d2d42d301 () googlegroups ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I know you are focusing on the receiving side, but 30k EPS is really high
even for 2k servers.
If the agents are on Windows servers, check your audit policies
(local/global) to make sure you don't have object access and process
tracking on (this is for debugging and not really useful to OSSEC imho)
Grant
On Tuesday, December 16, 2014 8:00:13 AM UTC-5, Chris Decker wrote:
>
> Good morning all,
>
> I have about 2,000 (heavily active) OSSEC agents sending logs to a
> Manager. On the Manager side I've noticed that *ossec-remoted* is
> hovering around 98% to 100% of a CPU.
>
> I was under the impression that *ossec-remoted* is multi-threaded, but I
> only ever see one process running (and no childs). Am I doing something
> incorrectly? I was speaking with some folks on IRC and they said that not
> only is the process multi-threaded, but that a modern server could easily
> handle 70,000 EPS. Right now I have a machine with 16 Intel Xeon cores
> running at 3.3 GHz, and I estimate I'm seeing about 30,000 EPS.
>
> Any performance/tuning tips are appreciated!!!
>
>
>
>
> Thanks,
> Chris
>
--
---
You received this message because you are subscribed to the Google Groups \
"ossec-list" group. To unsubscribe from this group and stop receiving emails from it, \
send an email to ossec-list+unsubscribe@googlegroups.com. For more options, visit \
https://groups.google.com/d/optout.
[Attachment #5 (text/html)]
<div dir="ltr">I know you are focusing on the receiving side, but 30k EPS is really \
high even for 2k servers.<br><br>If the agents are on Windows servers, check your \
audit policies (local/global) to make sure you don't have object access and process \
tracking on (this is for debugging and not really useful to OSSEC \
imho)<br><br>Grant<br><br>On Tuesday, December 16, 2014 8:00:13 AM UTC-5, Chris \
Decker wrote:<blockquote class="gmail_quote" style="margin: 0;margin-left: \
0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;"><div dir="ltr">Good morning \
all,<div><br></div><div>I have about 2,000 (heavily active) OSSEC agents sending logs \
to a Manager. On the Manager side I've noticed that \
<i>ossec-remoted</i> is hovering around 98% to 100% of a CPU. \
</div><div><br></div><div>I was under the impression that \
<i>ossec-remoted</i> is multi-threaded, but I only ever see one process running \
(and no childs). Am I doing something incorrectly? I was speaking with \
some folks on IRC and they said that not only is the process multi-threaded, but that \
a modern server could easily handle 70,000 EPS. Right now I have a machine with \
16 Intel Xeon cores running at 3.3 GHz, and I estimate I'm seeing about 30,000 \
EPS.<br></div><div><br></div><div>Any performance/tuning tips are \
appreciated!!!</div><div><br></div><div><br></div><div><br></div><div><br></div><div>Thanks,</div><div>Chris</div></div></blockquote></div>
<p></p>
-- <br />
<br />
--- <br />
You received this message because you are subscribed to the Google Groups \
"ossec-list" group.<br /> To unsubscribe from this group and stop receiving \
emails from it, send an email to <a \
href="mailto:ossec-list+unsubscribe@googlegroups.com">ossec-list+unsubscribe@googlegroups.com</a>.<br \
/> For more options, visit <a \
href="https://groups.google.com/d/optout">https://groups.google.com/d/optout</a>.<br \
/>
------=_Part_1326_740920147.1418828511678--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic