[ossec-dev] Re: problem with MAX_AGENTS

["Daniel Cid" <dcid@xxxxxxxxx>]

Hi Jeremy,

Thanks for the information. You got the number of alerts per second (what ossec
actually logs at the end). The total number of events received can be viewed
with the following hack:

# file=/var/ossec/stats/totals/2006/Oct/ossec-totals-22.log
# a=`cat $file |grep "\-\-" | cut -d "-" -f 5`;
# b=0;for i in $a; do b=`expr $b + $i`; done;
# echo "Total events: $b";

You will need to change $file to whatever date you want... I am also
at the point of releasing a simplified web UI for ossec. If anyone is
interesting to check out a live demo, please visit:

http://dev.ossec.net:443/os/index.php

*the search option is becoming interesting now :)

Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net


On 11/2/06, Jeremy Hanmer <jeremy@xxxxxxxxxxxxxxx> wrote:
> On Nov 1, 2006, at 6:17 PM, Daniel Cid wrote:
>
> >
> > Hi Jeremy,
> >
> > Thanks for the report. It's nice to see that ossec is handling this
> > large number
> > of agents. One think you can change is the maximum number of events
> > stored
> > in memory for correlation. By default it is 1024, but for your large
> > install you can
> > increase it to 5096 or something larger. Just set the "memory_size"
> > option in
> > the "global" section to the value you want. Most of the times I
> > increase it to
> > 5096 :)
>
> Thanks, I'm trying that right now.
>
> >
> > Btw, how many events and alerts per second do you have? (Analysisd
> > store
> > them hourly)... Just curious..
>
> It looks like I averaged 44 events/sec yesterday.  I did zgrep -c
> ^2006 ossec-alerts-01.log.gz and divide that by 86400....not sure if
> there's a better way.
>
> > Thanks,
> >
> > --
> > Daniel B. Cid
> > dcid ( at ) ossec.net
> >
> > On 11/1/06, Jeremy Hanmer <jeremy@xxxxxxxxxxxxxxx> wrote:
> >>
> >>
> >> On Oct 30, 2006, at 5:07 PM, Daniel Cid wrote:
> >>
> >> >
> >> > Hi Jeremy,
> >> >
> >> >
> >> > *btw, let us know how ossec behaves with that large number of
> >> agents.
> >> > The maximum
> >> > I tested with was 74 agents.
> >>
> >> I've had everything running since Sunday with all 420 agents and
> >> everything's looking good.  As far as performance goes, the box is a
> >> dual-core Opteron 165 with 2GB of RAM.  During the busiest time of
> >> the day, ossec-analysisd averages about 50% CPU with less than 2MB of
> >> RAM used and ossec-remoted averages about 5% CPU with about 3MB of
> >> RAM usage.
> >>
> >>
> >>
> >>
> >> > Thanks,
> >> >
> >> > --
> >> > Daniel B. Cid
> >> > dcid ( at ) ossec.net
> >> >
> >> > On 10/30/06, Jeremy Hanmer <jeremy@xxxxxxxxxxxxxxx> wrote:
> >> >>
> >> >> I've got a fairly large ossec installation that I've just set up
> >> >> (currently 420 agents with 1 central server) and I hit a
> >> problem with
> >> >> MAX_AGENTS.  With more than 256 agents, ossec-remoted
> >> segfaults.  I
> >> >> had to dig through the code to figure out what to raise since
> >> nothing
> >> >> gets logged when it crashes.  I tried to add some error
> >> handling, but
> >> >> it looks like a lot of places would need checks and I'm not quite
> >> >> comfortable with that just yet.
> >> >>
> >>
> >>