Alerts.log loop

[Marcin Gołębiowski]

Hi everyone,

My OS - Ubuntu Server 16.04 LTS, OSSEC version - 2.9.0

Today I encountered strange error with OSSEC - log monitoring ended up in a loop constantly checking portion of logs between 6AM and 9AM, sending duplicate emails of course. Troubleshooting the issue I noticed:

1) Logs monitored seem to be ok, nothing exceptional in them, 

2) Analysisd was using 100% cpu on a core it is bound to, 

3) Restarting ossec solved a problem.

What could be the reason? Could it be Syscheckd kicking in every 6 hours? I've noticed this in ossec.log:

2017/04/20 06:52:48 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).

2017/04/20 06:52:48 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).

But syscheck is checking only limited set of files on two webserver's directories. It's not very much.