Know How:Syscheck Perf - OSSEC Wiki

From OSSEC Wiki

Jump to: navigation, search

How do I reduce the amount of CPU used by Syscheck?

by Daniel B. Cid

-There are a couple of things that can be done:

Increase the syscheck frequency to a higher value, so it will check the system fewer times.

 <syscheck>
   <!-- Frequency every 10 hours... -->
   <frequency>72000</frequency>
  </syscheck>

Change internal_options.conf and increase the value of syscheck.sleep and reduce the value of syscheck.sleep_after.

# Syscheck checking/usage speed. To avoid large cpu/memory
# usage, you can specify how much to sleep after generating
# the checksum of X files. The default is to sleep 2 seconds
# after reading 15 files.
syscheck.sleep=2
syscheck.sleep_after=15

Change the init script to renice syscheck after startup.

Retrieved from "http://www.ossec.net/wiki/index.php/Know_How:Syscheck_Perf"

Views

Edit

Personal tools

Log in / create account

Documentation

Search