ossec-analysisd - Constant High CPU

[David Drake]

I have one OSSEC manager that has high CPU very frequently (100%) which is causing other agents to disconnected.  Is there a good mechanism for troubleshooting why the CPU is pegged constantly?  I do understand it's a single threaded process and hope that will change in the future.  Specs:

4vCPU

16GB RAM

1300 Agents

This particular server has high CPU at various times and generally has taken a few days to get back to a normal threshold.  

[Victor Fernandez]

Hi David,

could you tell us which process (or processes) use high CPU?

If such process is ossec-remoted you probably have overload. You should consider use more than one manager to distribute the load, depending on the agent configuration (i.e. if agents produce a large number of events).

On the other hand, if the process that uses a high CPU is ossec-analysisd, the most common issue is that Syscheck tables for FIM (stored in manager side) have grown too much. I recommend you to clean the Syscheck tables this way:

$ /var/ossec/bin/syscheck_control -u all

Hope it help.

Best regards.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6296df2b-4180-4892-86b8-fe1f5a48edc1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Victor M. Fernandez-Castro

IT Security Engineer

Wazuh Inc.