-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ossec-analysisd high memory usage over time. #1502
Comments
How many agents do you have? I'm not seeing this issue, but I have very few agents connected to my systems. |
There is approximately 40 active agents currently running. Though we have approximately 76 added, some have been retired. One of the things I have been wondering about was in the /var/ossec/etc/internal_options.conf The new internal_options.conf file has this: Analysisd stats maximum diff. The one from 2.8.3 had this: Analysisd stats maximum diff. Would changing this to a lower number cause any issues? Thank you for your help so far. |
You could try it, I don't think it would cause any issues. I can't remember why that was changed off hand, but see if it helps. |
I apologize for a late response. I did change the setting to about a tenth of what it was. I am just waiting to see if the issue still occurs. I changed it on Monday, and the ossec-analysisd is currently at 76.2% memory usage. I will wait to see if the service does self terminate again. I will keep you updated. But thank you for all of your help so far. |
Good Morning. Changing the analysisd.stats_maxdiff setting to a lower number has had no effect i'm afraid. |
Well I didn't get the issue fixed i'm afraid. But I did get around it by just making a cron job to restart the OSSEC services every 24 hours. |
Hi, I got exactly the same problem, ossec-analysisd increase memory over time. Maybe you can help me if i give the configuration for server and agent. I don't use use fully the fonctionnality OSSEC, i use it just for the integrity of files. Hope you can help me. Best regards |
I on a new OSSEC server with version 3.0.0-5505.el6.art from the Atomic repository. Downgrading to version 2.9.3-2833.el6.art did not help. I didn't have any previous versions available to try, so I cloned another OSSEC VM that had version 1:2.9.0-1700.el6.art installed and that did the trick. So it seems this issue started sometime after version 2.9.0 and on or before version 2.9.3. |
Whoops, mangled that first sentence. Should read "I had this issue on a new OSSEC server..." |
Can you retest on the 2.9.1 branch and see if it pops up there? |
Is there a 2.9.1 RPM available for CentOS 6 (or similar)? Or would I need to compile 2.9.1 from source? |
We're experiencing this unless we restart the service on a cron. It's very easy to replicate on a small instance (t3.micro). Anything I can provide to help diagnose this please let me know. |
Hello everyone. I am currently running OSSEC 3.0.0. I am having an issue where the ossec-analysisd service eventually uses all the memory. Currently we have 4GB of ram for the vm that OSSEC is running on. Over the course of approximately 2 days ossec-analysisd's memory usage slowly raises until maximum memory is used, then ossec-analysisd stops. Restarting OSSEC does reset the memory usage, but it just slowly rises again.
For a little bit of history. On this server we were running 2.8.3 for over a year, and it worked perfectly. We decided to upgrade to 2.9.4. That is when we first ran into the memory issue. When version 3.0.0 came out we did a clean install of that to attempt to fix the memory issue, but the issue still occurs.
Is there recommended hardware requirements for OSSEC? Or is there a new setting that I need to change to alleviate this issue? I have searched and could not find anything. I am sorry if this does turn out to be something obvious that I missed.
The text was updated successfully, but these errors were encountered: