ossec-remoted high CPU

[Sylvain Crouet]

Hello,

 

One of my OSSEC server is always busy (100% CPU) for some days, with ossec-remoted between 90% and 100% CPU. This server manages about 65 agents only. What can explain this high CPU utilization and how can I solve it? I already restarted OSSEC services and the whole server.

 

Cordialement / Kind regards

 

Sylvain Crouet

Security Officer - Security is everybody’s responsibility

Mobile +33 (0) 7 75 24 10 28

 

 

Neocase™ Software is a leading provider of integrated HR and Finance service delivery solutions.

www.neocasesoftware.com

 

 

[Brett Simpson]

I would suggest you turn on debug on one of the agents and see what the agent is trying to send versus what the server actually keeps. I had issues with a few event IDs generating thousands of events per second that weren't even used by the ossec server so I used a line like this on the agent to drop them without sending.

  <localfile>

    <location>Application</location>

    <log_format>eventchannel</log_format>

    <query>Event/System[EventID != 256] and Event/System[EventID != 258]</query>

  </localfile>

  <localfile>

    <location>Security</location>

    <log_format>eventchannel</log_format>

    <query>Event/System[EventID != 4656] and Event/System[EventID != 4658] and Event/System[EventID != 4670] and Event/System[EventID != 4672] and Event/System[EventID != 4688] and Event/System[EventID != 4689] and Event/System[EventID != 4690] and Event/System[EventID != 5152] and Event/System[EventID != 5156] and Event/System[EventID != 5158] and Event/System[EventID != 5447]</query>

  </localfile>

  <localfile>

    <location>System</location>

    <log_format>eventchannel</log_format>

    <query>Event/System[EventID!=7000]</query>

  </localfile>

[Sylvain Crouet]

Hello,

 

How can I identify the agent on which I should do that? I already stopped the most verbose agents, and there is no change on CPU.

 

Cordialement / Regards

 

Sylvain Crouet

Security Officer - Security is everybody’s responsibility

Mobile +33 (0) 7 75 24 10 28

 

 

Neocase™ Software is a leading provider of integrated HR and Finance service delivery solutions.

www.neocasesoftware.com

 

 

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Brett Simpson]

Do <logall>true</logall> inside your global ossec.conf directive on the ossec server. This will log everything to /var/ossec/logs/archives/archives.log. I would do that for 5 minutes then disable it and look though that archive to see what is showing up.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/ZzcTfmQTaXE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.

[Sylvain Crouet]

Done, very informative indeed. Thank you Brett.

 

Cordialement / Regards

 

Sylvain Crouet

Security Officer - Security is everybody’s responsibility

Mobile +33 (0) 7 75 24 10 28

 

--

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/ZzcTfmQTaXE/unsubscribe.

To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

 

--

---

You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.

[Sylvain Crouet]

Hello,

 

I updated the shared agent.conf file to discard some Windows events. But I notice that Windows 2.9.0 agents do not receive this shared configuration file, while 2.8.3 and 2.9.2 do. Below is the ouput of deployment checking script:

Current version: c0db7baf32df4a94479756bd6a8c2e63

001 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK

002 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK

003 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK

004 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK

005 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK

007 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK

008 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK

009 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK

010 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK

011 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK

012 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK

013 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK

014 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK

015 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK

016 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK

017 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK

018 v2.9.0/3757083ea8656e6141cafb893b55488b NOK

019 v2.9.0/3757083ea8656e6141cafb893b55488b NOK

022 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK

023 v2.8.3/c0db7baf32df4a94479756bd6a8c2e63 OK

024 v2.9.0 NOK

025 v2.9.0 NOK

 

The OSSEC server version is 2.9.2.

Any idea?

 

Cordialement / Regards

 

Sylvain Crouet

Security Officer - Security is everybody’s responsibility

Mobile +33 (0) 7 75 24 10 28

 

[Brett Simpson]

Shared configs cannot control the windows eventchannel from what I last knew. So I would check them and you will likely see nothing changed. If you turn on logall again you should see the specific event IDs disappear if not then you know it didn't take effect. 

As for 2.9.0 not sure as I really don't relverage shared configs. 

On Wed, Dec 20, 2017 at 4:48 AM, Sylvain Crouet <scr...@neocasesoftware.com> wrote:

Hello,

 

I updated the shared agent.conf file to discard some Windows events. But I notice that Windows 2.9.0 agents do not receive this shared configuration file, while 2.8.3 and 2.9.2 do. Below is the ouput of deployment checking script:

--

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/ZzcTfmQTaXE/unsubscribe.

To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/ZzcTfmQTaXE/unsubscribe.

To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.

[dan (ddp)]

On Wed, Dec 20, 2017 at 4:48 AM, Sylvain Crouet
<scr...@neocasesoftware.com> wrote:
> Hello,
>
>
>

> I updated the shared agent.conf file to discard some Windows events. But I
> notice that Windows 2.9.0 agents do not receive this shared configuration
> file, while 2.8.3 and 2.9.2 do. Below is the ouput of deployment checking
> script:
>

There were some issues with Windows transferring files (had to be in
binary mode or something?). I can't remember off hand when it was
fixed exactly.

> Neocase™ Software is a leading provider of integrated HR and Finance service
> delivery solutions.
>
> www.neocasesoftware.com
>
>
>
>
>

[Sylvain Crouet]

Well, I will update all my 2.9.0 Windows agents to the last version.

Cordialement / Regards

Sylvain Crouet
Security Officer - Security is everybody’s responsibility
Mobile +33 (0) 7 75 24 10 28

[Sylvain Crouet]

Even for a 2.9.2 agent, the shared agent.conf file is not pushed. Here is part of its log file:
2018/01/21 02:02:06 INFO: Connected to 10.0.1.11 at address 10.0.1.11:1514, port 1514
2018/01/21 02:02:06 ossec-agent: Starting syscheckd thread.
2018/01/21 02:02:06 ossec-agent(1226): ERROR: Error reading XML file 'shared/agent.conf': XMLERR: File 'shared/agent.conf' not found. (line 29).
2018/01/21 02:02:06 ossec-syscheckd(1702): INFO: No directory provided for syscheck to monitor.
2018/01/21 02:02:06 ossec-syscheckd: WARN: Syscheck disabled.
2018/01/21 02:02:06 ossec-agent(1226): ERROR: Error reading XML file 'shared/agent.conf': XMLERR: File 'shared/agent.conf' not found. (line 29).
2018/01/21 02:02:06 ossec-rootcheck: INFO: Started (pid: 1968).
2018/01/21 02:02:06 ossec-syscheckd: INFO: Started (pid: 1968).
2018/01/21 02:02:16 ossec-agent: WARN: Process locked. Waiting for permission...
2018/01/21 02:02:16 ossec-agentd(4102): INFO: Connected to server 10.0.1.11, port 1514.
2018/01/21 02:02:16 ossec-agent: INFO: System is Vista or newer (Microsoft Windows Server 2012 Datacenter Edition (full) (Build 9200) - OSSEC HIDS v2.9.2).
2018/01/21 02:02:16 ossec-logcollector: INFO: Started (pid: 1968).
2018/01/21 02:02:21 ossec-agent: INFO: Lock free. Continuing...
2018/01/21 02:03:32 rootcheck: INFO: Starting rootcheck scan.
2018/01/21 02:03:32 rootcheck: No winaudit file configured.
2018/01/21 02:03:32 rootcheck: No winmalware file configured.
2018/01/21 02:03:32 rootcheck: No winapps file configured.
2018/01/21 02:03:38 rootcheck: INFO: Ending rootcheck scan.
2018/01/21 04:12:21 ossec-agent: More than 600 seconds without server response...sending win32info
2018/01/21 05:30:25 ossec-agent: More than 600 seconds without server response...sending win32info
2018/01/21 08:15:10 ossec-agent: More than 600 seconds without server response...sending win32info
2018/01/21 09:33:13 ossec-agent: More than 600 seconds without server response...sending win32info
2018/01/21 11:41:59 ossec-agentd(1214): WARN: Problem receiving message from '10.0.1.11'.
2018/01/21 11:41:59 ossec-agentd(1214): WARN: Problem receiving message from '10.0.1.11'.
2018/01/21 11:41:59 ossec-agentd(1214): WARN: Problem receiving message from '10.0.1.11'.
2018/01/21 13:09:59 ossec-agent: More than 600 seconds without server response...sending win32info
2018/01/21 16:46:45 ossec-agent: More than 600 seconds without server response...sending win32info
2018/01/21 18:04:49 ossec-agent: More than 600 seconds without server response...sending win32info
2018/01/21 21:41:35 ossec-agent: More than 600 seconds without server response...sending win32info
2018/01/21 22:07:21 rootcheck: INFO: Starting rootcheck scan.
2018/01/21 22:07:21 rootcheck: No winaudit file configured.
2018/01/21 22:07:21 rootcheck: No winmalware file configured.
2018/01/21 22:07:21 rootcheck: No winapps file configured.
2018/01/21 22:07:26 rootcheck: INFO: Ending rootcheck scan.
2018/01/22 01:44:21 ossec-agent: More than 600 seconds without server response...sending win32info
2018/01/22 03:02:25 ossec-agent: More than 600 seconds without server response...sending win32info
2018/01/22 07:05:11 ossec-agent: More than 600 seconds without server response...sending win32info