[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] Re: problem with MAX_AGENTS

To: ossec-dev@xxxxxxxxxxxxxxxx
Subject: [ossec-dev] Re: problem with MAX_AGENTS
From: Jeremy Hanmer <jeremy@xxxxxxxxxxxxxxx>
Date: Thu, 2 Nov 2006 10:16:10 -0800
Content-transfer-encoding: 7bit



On Nov 1, 2006, at 6:17 PM, Daniel Cid wrote:

Hi Jeremy,
Thanks for the report. It's nice to see that ossec is handling thislarge numberof agents. One think you can change is the maximum number of eventsstored
in memory for correlation. By default it is 1024, but for your large
install you can
increase it to 5096 or something larger. Just set the "memory_size"option inthe "global" section to the value you want. Most of the times Iincrease it to
5096 :)


Thanks, I'm trying that right now.

Btw, how many events and alerts per second do you have? (Analysisdstore
them hourly)... Just curious..

It looks like I averaged 44 events/sec yesterday. I did zgrep -c^2006 ossec-alerts-01.log.gz and divide that by 86400....not sure ifthere's a better way.

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net

On 11/1/06, Jeremy Hanmer <jeremy@xxxxxxxxxxxxxxx> wrote:

On Oct 30, 2006, at 5:07 PM, Daniel Cid wrote:

>
> Hi Jeremy,
>
>
> *btw, let us know how ossec behaves with that large number ofagents.
> The maximum
> I tested with was 74 agents.

I've had everything running since Sunday with all 420 agents and
everything's looking good.  As far as performance goes, the box is a
dual-core Opteron 165 with 2GB of RAM.  During the busiest time of
the day, ossec-analysisd averages about 50% CPU with less than 2MB of
RAM used and ossec-remoted averages about 5% CPU with about 3MB of
RAM usage.




> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 10/30/06, Jeremy Hanmer <jeremy@xxxxxxxxxxxxxxx> wrote:
>>
>> I've got a fairly large ossec installation that I've just set up
>> (currently 420 agents with 1 central server) and I hit aproblem with>> MAX_AGENTS. With more than 256 agents, ossec-remotedsegfaults. I>> had to dig through the code to figure out what to raise sincenothing>> gets logged when it crashes. I tried to add some errorhandling, but
>> it looks like a lot of places would need checks and I'm not quite
>> comfortable with that just yet.
>>

Follow-Ups:
- [ossec-dev] Re: problem with MAX_AGENTS
  - From: Daniel Cid

References:
- [ossec-dev] Re: problem with MAX_AGENTS
  - From: Jeremy Hanmer
- [ossec-dev] Re: problem with MAX_AGENTS
  - From: Daniel Cid

Prev by Date: [ossec-dev] Re: problem with MAX_AGENTS
Next by Date: [ossec-dev] Re: problem with MAX_AGENTS
Previous by thread: [ossec-dev] Re: problem with MAX_AGENTS
Next by thread: [ossec-dev] Re: problem with MAX_AGENTS
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.