On Wed, Apr 26, 2017 at 9:51 PM, Nikki Sridhar <
nikkisr...@gmail.com> wrote:
> There shouldn't be! Only system integrity configuration is enabled and that runs every 20 hours . Real time system integrity check is enabled for 3 directories.
>
Turn on the log all option on the server and see what appears in archives.log.
That will give you an idea of how much each system is sending to the server.
Even using tcpdump to see if there is a lot of traffic passing between
one agent and the server might give you some ideas. Like if an agent
has its log monitoring turned on, even though the server doesn't do
anything with the logs.
> I was wondering if clearing out the syscheck DB would help?
>
I don't think so, but you can try it.