Ossec Windows Agent High Disk I/O Consumption

52 views
Skip to first unread message

LGuerra

unread,
May 25, 2017, 11:47:54 AM5/25/17
to ossec-list

Hi,

 

I've been noticing heavy disk I/O operations on some of my OSSEC agents. The average write is around 2 mb/s and 0 mb/s for read operations (which is weird).

 

Is anyone experiencing the same thing? Wasn’t supposed to be (at least more) reading instead of writing operations? And why is there so high consumption!? 

 

I'm using OSSEC 2.8.3 on server 2012 R2.

 

Syscheck frequency is set to 72000 and the settings I’m using (for log and event viewer monitoring) are set for both happening and not happening servers.

 

Can someone help me?

 

Regards,

Message has been deleted

dan (ddp)

unread,
May 25, 2017, 8:37:46 PM5/25/17
to ossec...@googlegroups.com
Is it writing to ossec.log?

>
> Regards,
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

LGuerra

unread,
May 26, 2017, 4:41:31 AM5/26/17
to ossec-list
Hi,

Thanks for your reply!

Yes. It's writing to ossec.log however just the normal log output. No debug at all. As far as I know, this should be the only writing operation.

Regards,

LGuerra

unread,
May 26, 2017, 5:50:01 AM5/26/17
to ossec-list

Hi,

 

I think I just found out. 

 

Since Im running OSSEC on Server 2012 and in order to correctly view Event Viewer logs, I switched "eventlog" to "eventchannel" on ossec.conf event viewer settings. Witch, according to the OSSEC documentation, uses the "new" Event API for log translation.

 

http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.localfile.html

 

Now, for troubleshooting I rolled back and it started working normally with normal disk consumption.

 

I guess it’s this setting. However, I really needed it K otherwise I won’t be able to retrieve all the information from the event viewer logs.

Victor Fernandez

unread,
May 26, 2017, 7:07:58 AM5/26/17
to ossec...@googlegroups.com
Hi,

Indeed the eventchannel log format is newer and more powerful than eventlog, but it may lead to report too much events and even flood your network without a proper query.

If you enabled Windows Firewall and Windows Event Platform logs, they produce a large amount of events that will be sent to the manager. You will be able to see them if you enable archives (option <logall>yes</logall>) in the manager.

I would recommend you to skip certain logs that are produced very frequently and don’t suppose a security issue, such events 5145 and 5157 (that are generated when Windows detected new network devices and is querying them for shared folders or printers) or 5447 (that is often produced when the Firewall allows a connection and may be related to a OSSEC message and lead to a vicious circle).

So I recommend yo to use a configuration like this:

   <localfile>
    <location>Security</location>
    <log_format>eventchannel</log_format>
    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447]</query>
  </localfile>

This should prevent your agent from overload disk and network I/O. If the problem persists please enable archives at manager and take a look to the received events.

Hope it help.
Best regards.


LGuerra

unread,
May 26, 2017, 10:38:05 AM5/26/17
to ossec-list

Hey,

 

Thanks for your reply. I'm gonna give it a try. 

I'm gathering a list of events that actually don't need to make a more refined exclusion list.

I will keep you posted. 

 

Thanks!

Reply all
Reply to author
Forward
0 new messages