{"id":331,"date":"2007-01-21T04:14:00","date_gmt":"2007-01-21T04:14:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=331"},"modified":"2020-07-03T04:15:29","modified_gmt":"2020-07-03T04:15:29","slug":"ossec-performance","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2007\/01\/ossec-performance\/","title":{"rendered":"OSSEC Performance"},"content":{"rendered":"\n<p>A friend of mine recently asked me what is the maximum number of logs per second that&nbsp;<a href=\"http:\/\/www.ossec.net\/\">ossec<\/a>&nbsp;could handle, but I didn\u2019t have an answer for him. I heard of a few&nbsp;<a href=\"http:\/\/www.ossec.net\/ossec-dev\/2006-November\/msg00005.html\">reports<\/a>&nbsp;of ossec handling more than&nbsp;<strong>508<\/strong>&nbsp;logs per second in a setup with more than 400 agents. I also installed it on an ISP that on average receives between 200\/250 logs per second. However, there is no definitive answer to this question because it depends a lot on the hardware being used and the format of the logs\u2026 Anyway, I decided to run some quick tests to see how good (or bad) it would perform here.<\/p>\n\n\n\n<p>My performance test was very simple: send as many logs as possible to&nbsp;<strong>analysisd<\/strong>&nbsp;(main ossec process) and check the&nbsp;<strong>\/var\/ossec\/stats\/totals<\/strong>&nbsp;directory to see how many logs it was able to process per second.<\/p>\n\n\n\n<p><strong>Test setup:<\/strong><br>I created 5 ossec configurations for logcolletor and initiated one separated daemon for each config. Each process was monitoring one log file. The operating system was OpenBSD 3.9 on an old PIII 700 with 512M of RAM.<strong><br># \/var\/ossec\/bin\/ossec-logcollector -c \/var\/ossec\/etc\/log1.conf<br># \/var\/ossec\/bin\/ossec-logcollector -c \/var\/ossec\/etc\/log2.conf<br># \/var\/ossec\/bin\/ossec-logcollector -c \/var\/ossec\/etc\/log3.conf<br># \/var\/ossec\/bin\/ossec-logcollector -c \/var\/ossec\/etc\/log4.conf<br># \/var\/ossec\/bin\/ossec-logcollector -c \/var\/ossec\/etc\/log5.conf<\/strong><\/p>\n\n\n\n<p><strong># tail \/var\/ossec\/logs\/ossec.log<br><\/strong><em>2007\/01\/20 15:14:49 ossec-logcollector(1950): Analyzing file: \u2018\/data\/test-logs\/log1\u2032.<br>2007\/01\/20 15:14:50 ossec-logcollector(1950): Analyzing file: \u2018\/data\/test-logs\/log2\u2032.<br>..<br>2007\/01\/20 15:14:56 ossec-logcollector(1950): Analyzing file: \u2018\/data\/test-logs\/log5\u2032.<br>2007\/01\/20 15:14:56 ossec-logcollector: Started (pid: 15448).<\/em><\/p>\n\n\n\n<p>To be fair, I chose 5 different log formats and wrote a simple script to keep filling the logs as faster as possible.<\/p>\n\n\n\n<p><strong># cd \/data\/test-logs<br># while [ 1 ]; do .\/fill-logs.sh; done<br># cat fill-logs.sh<br><\/strong><em>cat PIX-sample &gt;&gt; log1 &amp;<br>cat accesslog-sample &gt;&gt; log2 &amp;<br>cat authlog-sample &gt;&gt; log3 &amp;<br>cat messages-sample &gt;&gt; log4<br>cat squid-sample &gt;&gt; log5<br><\/em><br><strong>Test results<\/strong>:<br>I let this setup running for a while (6 to 7 hours) and also wrote a small script to monitor the process\/memory utilization. On average, the CPU utilization was around 10% with peaks of 18%. Memory usage was constant of about 2100K.<\/p>\n\n\n\n<p>The average number of events that I got during this 6 hour test was around&nbsp;<strong>1,238,989<\/strong>&nbsp;or&nbsp;<strong>344<\/strong>&nbsp;logs per second.<\/p>\n\n\n\n<p>What does it proves? Nothing. Just that OSSEC v1.0 on an old PIII with 512 of RAM can support more than 340 logs per second without using more than 10% of CPU..<br>Do you run ossec on a large environment? How many logs per second is it monitoring on your environment? Would be nice to have a few examples for future comparison.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A friend of mine recently asked me what is the maximum number of logs per second that&nbsp;ossec&nbsp;could handle, but I didn\u2019t have an answer for him. I heard of a few&nbsp;reports&nbsp;of ossec handling more than&nbsp;508&nbsp;logs per second in a setup with more than 400 agents. I also installed it on an ISP that on average [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/331"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=331"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/331\/revisions"}],"predecessor-version":[{"id":332,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/331\/revisions\/332"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=331"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=331"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=331"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}