[ossec-dev] Re: problem with MAX

On 11/3/06, Jeremy Hanmer <jeremy@xxxxxxxxxxxxxxx> wrote:

Quite a number.

Total events: 43891725

The web interface looks good.  I hope the "Available agents" section
will be paginated, though  :)

On Nov 2, 2006, at 6:04 PM, Daniel Cid wrote:

>
> Hi Jeremy,
>
> Thanks for the information. You got the number of alerts per second
> (what ossec
> actually logs at the end). The total number of events received can
> be viewed
> with the following hack:
>
> # file=/var/ossec/stats/totals/2006/Oct/ossec-totals-22.log
> # a=`cat $file |grep "\-\-" | cut -d "-" -f 5`;
> # b=0;for i in $a; do b=`expr $b + $i`; done;
> # echo "Total events: $b";
>
> You will need to change $file to whatever date you want... I am also
> at the point of releasing a simplified web UI for ossec. If anyone is
> interesting to check out a live demo, please visit:
>
> http://dev.ossec.net:443/os/index.php
>
> *the search option is becoming interesting now :)
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
>
> On 11/2/06, Jeremy Hanmer < jeremy@xxxxxxxxxxxxxxx> wrote:
>>
>>
>> On Nov 1, 2006, at 6:17 PM, Daniel Cid wrote:
>>
>> >
>> > Hi Jeremy,
>> >
>> > Thanks for the report. It's nice to see that ossec is handling this
>> > large number
>> > of agents. One think you can change is the maximum number of events
>> > stored
>> > in memory for correlation. By default it is 1024, but for your
>> large
>> > install you can
>> > increase it to 5096 or something larger. Just set the "memory_size"
>> > option in
>> > the "global" section to the value you want. Most of the times I
>> > increase it to
>> > 5096 :)
>>
>> Thanks, I'm trying that right now.
>>
>> >
>> > Btw, how many events and alerts per second do you have? (Analysisd
>> > store
>> > them hourly)... Just curious..
>>
>> It looks like I averaged 44 events/sec yesterday.  I did zgrep -c
>> ^2006 ossec-alerts-01.log.gz and divide that by 86400....not sure if
>> there's a better way.
>>
>> > Thanks,
>> >
>> > --
>> > Daniel B. Cid
>> > dcid ( at ) ossec.net
>> >
>> > On 11/1/06, Jeremy Hanmer <jeremy@xxxxxxxxxxxxxxx> wrote:
>> >>
>> >>
>> >> On Oct 30, 2006, at 5:07 PM, Daniel Cid wrote:
>> >>
>> >> >
>> >> > Hi Jeremy,
>> >> >
>> >> >
>> >> > *btw, let us know how ossec behaves with that large number of
>> >> agents.
>> >> > The maximum
>> >> > I tested with was 74 agents.
>> >>
>> >> I've had everything running since Sunday with all 420 agents and
>> >> everything's looking good.  As far as performance goes, the box
>> is a
>> >> dual-core Opteron 165 with 2GB of RAM.  During the busiest time of
>> >> the day, ossec-analysisd averages about 50% CPU with less than
>> 2MB of
>> >> RAM used and ossec-remoted averages about 5% CPU with about 3MB of
>> >> RAM usage.
>> >>
>> >>
>> >>
>> >>
>> >> > Thanks,
>> >> >
>> >> > --
>> >> > Daniel B. Cid
>> >> > dcid ( at ) ossec.net
>> >> >
>> >> > On 10/30/06, Jeremy Hanmer <jeremy@xxxxxxxxxxxxxxx> wrote:
>> >> >>
>> >> >> I've got a fairly large ossec installation that I've just
>> set up
>> >> >> (currently 420 agents with 1 central server) and I hit a
>> >> problem with
>> >> >> MAX_AGENTS.  With more than 256 agents, ossec-remoted
>> >> segfaults.  I
>> >> >> had to dig through the code to figure out what to raise since
>> >> nothing
>> >> >> gets logged when it crashes.  I tried to add some error
>> >> handling, but
>> >> >> it looks like a lot of places would need checks and I'm not
>> quite
>> >> >> comfortable with that just yet.
>> >> >>
>> >>
>> >>
>>
>>

[ossec-dev] Re: problem with MAX_AGENTS