store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Thu Dec 18, 2014 5:31 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 39 posts ]  Go to page Previous  1, 2, 3  Next
Author Message
 Post subject: Re: CPU useage increases occasionally after upgrade to 3.0
Unread postPosted: Wed Jul 20, 2011 4:31 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 865
Location: Germany
Thanks Mike.
I have disabled "Report" for /var/www/vhosts now.
Tomorrow after 24h I will disable it completely and than compare the loads and give feedback.


Top
 Profile  
 
 Post subject: Re: CPU useage increases occasionally after upgrade to 3.0
Unread postPosted: Sun Jul 24, 2011 2:41 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 865
Location: Germany
I can confirm that switching off the file integrity check for /var/www/vhosts is getting the CPU level down to the state it was before. So now I'm still struggling with myself what is the best way for me. What to check and/or not?

It's useful to see what my customers change in their vhosts directories if they complain about something. On the other hand I won't double check everything.

What I find pretty useful is that if some hijacking happens and the bad guy is changing files I will notice it.
Because: if e.g. the password+username gets "stolen" from clients computer ASL won't be able to detect it since it's a regular change. Unless some bad code is found.
Right? Or are there other detection methods in ASL that catch something like this as well.
Than I could save CPU power and leave it disabled for /var/www/vosts

Thanks Scott and Mike.
I love ASL 3 :mrgreen:


Top
 Profile  
 
 Post subject: Re: CPU useage increases occasionally after upgrade to 3.0
Unread postPosted: Mon Jul 25, 2011 12:31 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 7964
Location: earth
Hmmm... maybe you could extend the scan frequency out more than 24 hours. Or limit it to specific domains, like just /var/www/vhosts/domain.com/httpdocs


Top
 Profile  
 
 Post subject: Re: CPU useage increases occasionally after upgrade to 3.0
Unread postPosted: Mon Jul 25, 2011 2:49 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Mar 28, 2009 6:58 pm
Posts: 865
Location: Germany
Thanks Scott, I will think about it and reenable it again for now.

EDIT: btw. isn't 24h the maximum I can set?


Top
 Profile  
 
 Post subject: Re: CPU useage increases occasionally after upgrade to 3.0
Unread postPosted: Mon Jul 25, 2011 4:40 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Dec 11, 2004 2:33 pm
Posts: 239
Location: South Africa
Over the weekend, I opted to remove & re-install ASL.

After the reload there is almost NO CPU load from ossec-syscheckd
I created a little jing video http://www.2large.co.za/jing/ossec.swf to show HTOP

The issue I am now having is that ossec sends me notifications almost every 30 min

Command executed: /sbin/service ossec-hids restart Exit value: 0 Signal number: 0 Dumped core?: 0

Shutting down ossec-hids: [ OK ] Starting ossec-hids: 2011/07/25 22:10:12 ossec-execd: INFO: Adding offenders timeout: 540 (for #1)
2011/07/25 22:10:12 ossec-execd: INFO: Adding offenders timeout: 1620 (for #2)
2011/07/25 22:10:12 ossec-execd: INFO: Adding offenders timeout: 4860 (for #3) [ OK ]


I also recieve this notification:


OSSEC HIDS Notification.
2011 Jul 25 22:10:23

Received From: webhost->ossec-monitord
Rule: 502 fired (level 3) -> "Ossec server started."
Portion of the log(s):

ossec: Ossec started.

--END OF NOTIFICATION


Attachments:
File comment: screen-grab of Jing
ossec-new.png
ossec-new.png [ 8.72 KiB | Viewed 6447 times ]

_________________
Mark Brindley
2Large Networks - Web solutions that work
Top
 Profile  
 
 Post subject: Re: CPU useage increases occasionally after upgrade to 3.0
Unread postPosted: Mon Jul 25, 2011 5:22 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3679
Location: Chantilly, VA
Any errors in your /var/log/ossec/ossec.log file?

And did you reinstall ossec from rpm or from source?

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: CPU useage increases occasionally after upgrade to 3.0
Unread postPosted: Mon Jul 25, 2011 6:07 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Dec 11, 2004 2:33 pm
Posts: 239
Location: South Africa
I installed using yum install ossec

ossec-hids-2.6-1.el5.art.x86_64.rpm
ossec-hids-server-2.6-1.el5.art.x86_64.rpm

my ossec.log is located in /var/ossec/logs/ossec.log not /var/log/ossec/ossec.log ?

The errors I see in the log are:

2011/07/25 23:22:32 ossec-syscheckd: ERROR: Unable to run diff for /etc/dcc/map
2011/07/25 23:38:18 ossec-analysisd(1210): ERROR: Queue '/queue/alerts/ar' not accessible: 'Connection refused'.
2011/07/25 23:38:18 ossec-analysisd(1301): ERROR: Unable to connect to active response queue.
2011/07/25 23:52:32 ossec-syscheckd: ERROR: Unable to run diff for /etc/dcc/map
2011/07/25 23:58:39 ossec-analysisd(1301): ERROR: Unable to connect to active response queue.

_________________
Mark Brindley
2Large Networks - Web solutions that work


Top
 Profile  
 
 Post subject: Re: CPU useage increases occasionally after upgrade to 3.0
Unread postPosted: Mon Jul 25, 2011 6:39 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3679
Location: Chantilly, VA
Yes, thats the correct log (just typing too fast on my part, and habit...) - any other log events in that file, including non-error?

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: CPU useage increases occasionally after upgrade to 3.0
Unread postPosted: Mon Jul 25, 2011 7:33 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Dec 11, 2004 2:33 pm
Posts: 239
Location: South Africa
@mikeshinn - I sent you a PM - something strange is going on...

_________________
Mark Brindley
2Large Networks - Web solutions that work


Top
 Profile  
 
 Post subject: Re: CPU useage increases occasionally after upgrade to 3.0
Unread postPosted: Mon Jul 25, 2011 8:07 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3679
Location: Chantilly, VA
Got your PM, if you havent done so already send an email to support AT atomicorp DOT com. I think you have a more serious problem with your system (file system corruption maybe?).

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: CPU useage increases occasionally after upgrade to 3.0
Unread postPosted: Tue Jul 26, 2011 11:12 pm 
Offline
Forum User
Forum User

Joined: Sat Jan 20, 2007 6:57 pm
Posts: 85
cpu is ramping up again:
from top:
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
15799 root 25 0 32064 28m 644 R 100.1 0.9 353:09.86 ossec-syscheckd

it seems occasionally cpu wil start to ramp up and stay up until I restart asl.


Top
 Profile  
 
 Post subject: Re: CPU useage increases occasionally after upgrade to 3.0
Unread postPosted: Wed Jul 27, 2011 12:31 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3679
Location: Chantilly, VA
Quote:
cpu is ramping up again:


Please see this FAQ:

https://www.atomicorp.com/wiki/index.ph ... lot_of_CPU

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: CPU useage increases occasionally after upgrade to 3.0
Unread postPosted: Tue Aug 16, 2011 5:25 am 
Offline
Forum Regular
Forum Regular

Joined: Sat Dec 11, 2004 2:33 pm
Posts: 239
Location: South Africa
Upgarded to ASL Version 3.0.7: CentOS 5 (SUPPORTED) last night.

CPU usage on ossec-syscheckd has reduced significantly.

_________________
Mark Brindley
2Large Networks - Web solutions that work


Top
 Profile  
 
 Post subject: Re: CPU useage increases occasionally after upgrade to 3.0
Unread postPosted: Wed Aug 31, 2011 5:34 pm 
Offline
Forum Regular
Forum Regular

Joined: Sat Dec 11, 2004 2:33 pm
Posts: 239
Location: South Africa
ASL Version 3.0.9: CentOS 5 (SUPPORTED).

CPU usage on ossec-syscheckd has JUMPED UP significantly.
I have disabled monitoring on /var/www/vhosts - CPU at 100% for hours

_________________
Mark Brindley
2Large Networks - Web solutions that work


Top
 Profile  
 
 Post subject: Re: CPU useage increases occasionally after upgrade to 3.0
Unread postPosted: Wed Aug 31, 2011 6:23 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3679
Location: Chantilly, VA
Nothing changed in syscheckd, so is it possible you just have a lot of files are directories you are monitoring?

Also, did you restart ossec?

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 39 posts ]  Go to page Previous  1, 2, 3  Next

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Yahoo [Bot] and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group