ossec-remoted high CPU utlization

[Nikki S]

We have about 480 agents reporting the OSSEC server. The remoted server is running constantly at 100% CPU utilization. Any suggestions on how to re-mediate this please? 

[dan (ddp)]

Is there a lot of traffic between the agents and the server?

> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Nikki Sridhar]

There shouldn't be! Only system integrity configuration is enabled and that runs every 20 hours . Real time system integrity check is enabled for 3 directories.

I was wondering if clearing out the syscheck DB would help?

Thank you!

> You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/6iUIQtsWLXY/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

[Phil Porada]

What version of OSSEC are you running? What specs does the server node have?

[Nikki S]

OSSEC HIDS v2.8.3. 8 GB of RAM and 4 CPU cores VM. 

[Phil Porada]

It may be worth investigating an upgrade to OSSEC 2.9.0.

According to the changelog, there's 2 potentially useful fixes that may help you out https://github.com/ossec/ossec-hids/releases

• Avoids computing hashes multiple times to improve performance
• Syscheck improvements

Alternatively, try bumping up the amount of allocated CPUs. Maybe you've finally topped out the server node? Do you have historical graphs of CPU usage during scan times?

[dan (ddp)]

On Wed, Apr 26, 2017 at 9:51 PM, Nikki Sridhar <nikkisr...@gmail.com> wrote:
> There shouldn't be! Only system integrity configuration is enabled and that runs every 20 hours . Real time system integrity check is enabled for 3 directories.
>

Turn on the log all option on the server and see what appears in archives.log.
That will give you an idea of how much each system is sending to the server.

Even using tcpdump to see if there is a lot of traffic passing between
one agent and the server might give you some ideas. Like if an agent
has its log monitoring turned on, even though the server doesn't do
anything with the logs.

> I was wondering if clearing out the syscheck DB would help?
>

I don't think so, but you can try it.

[Nikki S]

With tcpdump, I do see traffic getting to the server. Since the syscheck is only enabled every 22 hours, I was wondering what the other traffic is!

How can I verify if log monitoring has been turned off? 

Thank you! 

[dan (ddp)]

On Fri, Apr 28, 2017 at 3:07 PM, Nikki S <nikkisr...@gmail.com> wrote:
> With tcpdump, I do see traffic getting to the server. Since the syscheck is
> only enabled every 22 hours, I was wondering what the other traffic is!
>
> How can I verify if log monitoring has been turned off?
>

Check the ossec.conf on the agents, and make sure there are no
<localfile> entries.