There are ways to reduce some of the CPU load from services such as analysisd, syscheckd, mysql and the openscap scan in OSSEC. Analysisd receives the log messages and compares them to the rules. It will create alerts when a log message matches an applicable rule. Syscheckd/rootcheck are the daemons that power the File Integrity Monitoring (FIM) feature and malware scans. OpenSCAP is a compliance and lightweight vulnerability scanner that uses definitions for different security frameworks (PCIDSS, NIST, etc). It runs in conjunction with syscheckd. Below are some measures you can take to help reduce some of the load from these different processes. There will be a trade off between changing some of these configurations and software capabilities/performance.
1. Check the CPU and increase the number of cores for increased performance
2. Check the memory and increase it to enhance performance
[root@demo ~]# free -h
3. Turn OpenSCAP scanning off
In the GUI, navigate to Settings > ASL Configurations > Host Intrusion Detection System >
ossec_modules: openscap
HIDS_OPENSCAP_MODULE
sets openscap module (compliance scanning) on/off in ossec
and turn this setting off. Save your changes.
4. Run mysqltuner for performance information and tuning suggestions. Note: we do not support mysql. Contact your OS vendor for more assistance on this. High mysql loads can be contributed to the amount of data being processed by the Aria database storage engine.
5. Tune the syscheckd settings
By default the syscheckd is configured to sleep for 1 second after scanning 100 files. This can contribute to high CPU loads depending on how many cores you have provisioned on your server. Consider increasing your CPU or changing the settings. For example, you can set syscheckd to sleep for 2 seconds for every 15 files it reads. Please note that this will cause syscheckd to take longer to finish scanning your file systems that are being watched by OSSEC. The realtime feature works AFTER syscheckd has finished starting. To tune this setting go to Settings > ASL Configuration > Host Intrusion Detection System >
Syscheck: Sleep after checksum HIDS_syscheck_sleep Syscheck checking/usage speed. To avoid large cpu/memory usage, you can specify how much to sleep after generating the checksum of X files. |
|
Syscheck: Sleep after checksum 2 HIDS_syscheck_sleep_after Syscheck checking/usage speed. To avoid large cpu/memory usage, you can specify how much to sleep after generating the checksum of X files. |
and change Syscheck: Sleep After Checksum to 2 and Syscheck: Sleep after checksum 2 to 15
Save your changes so they take effect. Below is an example of the full chain to let you know syscheckd has finished starting:
2018/10/23 10:47:46 ossec-syscheckd: INFO: Real time file monitoring engine started.
2018/10/23 10:47:47 ossec-syscheckd: INFO: Finished creating syscheck database (pre-scan completed).
2018/10/23 10:47:52 ossec-syscheckd: INFO: Ending syscheck scan (forwarding database).
2018/10/23 10:49:00 ossec-syscheckd: INFO: Starting syscheck real-time monitoring.
6. Tune Watch Rules for the different Agent Groups and/or server itself.
If you're using the AEO Hub design, navigate to ASL > Agent Manager
Click FIM settings for the group. Look at the files that are currently being monitored. Are these large file systems? Do they currently have dynamically changing files in them? Is whodata, realtime or report changes set to yes? These settings can impact the performance of syscheckd and analysisd. Consider turning some of these settings off or setting ignore rules so syscheckd completely ignores the directory.
If you're using the standalone design (ASL) navigate to ASL > File Integrity > Watch Rules and follow the suggestions above.