Hi everyone,
My OS - Ubuntu Server 16.04 LTS, OSSEC version - 2.9.0
Today I encountered strange error with OSSEC - log monitoring ended up in a loop constantly checking portion of logs between 6AM and 9AM, sending duplicate emails of course. Troubleshooting the issue I noticed:
1) Logs monitored seem to be ok, nothing exceptional in them,
2) Analysisd was using 100% cpu on a core it is bound to,
3) Restarting ossec solved a problem.
What could be the reason? Could it be Syscheckd kicking in every 6 hours? I've noticed this in ossec.log:
2017/04/20 06:52:48 ossec-syscheckd: INFO: Starting syscheck scan (forwarding database).
2017/04/20 06:52:48 ossec-syscheckd: INFO: Starting syscheck database (pre-scan).
But syscheck is checking only limited set of files on two webserver's directories. It's not very much.