0

I have a DELL blade with ~100 VM's (with a Citrix XenServer 6.1 hypervisor), all with ossec agent connected to a ossec server outside that same blade. I have a bit of a problem: they all run rootkit check at the same time, and their vDISK's are on the same RAID. This causes IOwait on some VM's and dom0.

Is there any way to group some of these machines so they run their rootkit check on different time than the rest? Kind of dividing my 100 VM's in groups, with their own rules and schedules but connected to the same ossec server.

Thanks in advance.

Ricardo
  • 61
  • 8

1 Answers1

1

In ossec.conf set the 'frequency' variable to something different - in fact if you wanted to get really clever you could get each VM to choose this value (between an upper and lower limit of course) randomly at VM boot time. That's smear them out nicely.

Chopper3
  • 100,240
  • 9
  • 106
  • 238
  • I've thought of that solution but doenst seem very manageable. Besides, my VM's dont reboot if everything goes right. (I can do it by cron, but in any case not very manageable) – Ricardo Jul 04 '14 at 11:46