On 06/28/2014 05:18 AM, Gerard Petersen wrote:
> Is it acceptable operating procedure for ossec to clean
> out the database without stopping the agents or is there temporary agent
> shutdown involved?
Yes. Just run ./bin/syscheck_control -u <id>
> One more thing I noticed. All hits that are not around the time of
> (re)starting the syscheck are coming from the ossec server. The ossec
> server undergoes the same updates as the systems running the agents. The
> only conclusion I can draw from this is that "agent_control -r -a" does
> not initiate the agent on the servers, which would seem odd. Can you
> confirm this?
I just looked at a couple of Linux agents and it worked for me. Keep in
mind that syscheck is both scheduled and real-time, depending on how it
is set up on your systems. So you could have alerts that are
instantaneous and every x hours.
> On the performance part. I do see quite some CPU spikes when I update
> parts of the web framework that is monitored realtime. I understand the
> inode concept. It's just I find them rather high. I'll have a look at
> load indicator which is more of a averaged realtime value as opposed to
> the realtime cpu spikes. What indicators do you use to confirm for
> yourself that there is no (or little) load increase?
No one yells at me. :) Seriously, while there are spikes I have noticed
that they are not sustained. I guess my applications are not that
sensitive to this kind of thing.