Hi,
I've been noticing heavy disk I/O operations on some of my OSSEC agents. The average write is around 2 mb/s and 0 mb/s for read operations (which is weird).
Is anyone experiencing the same thing? Wasn’t supposed to be (at least more) reading instead of writing operations? And why is there so high consumption!?
I'm using OSSEC 2.8.3 on server 2012 R2.
Syscheck frequency is set to 72000 and the settings I’m using (for log and event viewer monitoring) are set for both happening and not happening servers.
Can someone help me?
Regards,
Hi,
I think I just found out.
Since Im running OSSEC on Server 2012 and in order to correctly view Event Viewer logs, I switched "eventlog" to "eventchannel" on ossec.conf event viewer settings. Witch, according to the OSSEC documentation, uses the "new" Event API for log translation.
http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.localfile.html
Now, for troubleshooting I rolled back and it started working normally with normal disk consumption.
I guess it’s this setting. However, I really needed it K otherwise I won’t be able to retrieve all the information from the event viewer logs.
<localfile><location>Security</location><log_format>eventchannel</log_format><query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447]</query></localfile>
Hey,
Thanks for your reply. I'm gonna give it a try.
I'm gathering a list of events that actually don't need to make a more refined exclusion list.
I will keep you posted.
Thanks!