[ossec-list] Re: Performance issues

["Daniel Cid" <daniel.cid@xxxxxxxxx>]

Hi Vishnu,

There are a couple of things that you can try:

-Increase the syscheck frequency to a higher value, so it will check the system
fewer times.

 <syscheck>
   <!-- Frequency every 10 hours... -->
   <frequency>72000</frequency>

-Change internal_options.conf and increase the value of syscheck.sleep and
reduce the value of syscheck.sleep_after.

# Syscheck checking/usage speed. To avoid large cpu/memory
# usage, you can specify how much to sleep after generating
# the checksum of X files. The default is to sleep 2 seconds
# after reading 15 files.
syscheck.sleep=2
syscheck.sleep_after=15


-Change the init script to renice syscheck after startup.


Hope it helps.

--
Daniel B. Cid
dcid ( at  ) ossec.net

On 4/11/07, R Vishnupriyan-A21280 <vishnupriyan@xxxxxxxxxxxx> wrote:
> Greetings,
>
> I'm facing some performance issues with the OSSEC integrity check daemon on
> my Montavista Linux machine.
>
> The syscheck gets invoked every 60 minutes and it takes as much as 90% peak
> CPU to detect if there is any integrity violation
>
> 1. Is there a way that we can reduce the CPU consumption of OSSEC?
>
> 2. Can we change the priority of the OSSEC daemons so that they don't take
> much of the CPU cycles?
>
> Please help me understand this.
>
> Thanks,
> Vishnu