<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Well, I surely can't count on my fingers how many events are generated
every minute. But I can say it gets close to 200 security events per
second. What would result in something about 360k events every 30
minutes.<br>
<br>
Hobbit client shouldn't analyze these events and return to the server
only the matching ones?<br>
<br>
Thank you.<br>
<pre class="moz-signature" cols="72">Ricardo Alberto Schütz - Consultor
--------------------------------------------
Redix - Gestão em T.I. com Software Livre
<a class="moz-txt-link-freetext" href="http://www.redix.com.br">http://www.redix.com.br</a> - <a class="moz-txt-link-abbreviated" href="mailto:contato@redix.com.br">contato@redix.com.br</a>
Tel. Coml.: +55 (47) 3323-7313
Tel. Cel.: +55 (47) 9186-9868
--------------------------------------------
</pre>
<br>
<br>
Etienne Grignon wrote:
<blockquote
cite="mid:68e737a10804250844t1074b23p88a69928a3840d2f@mail.gmail.com"
type="cite">
<pre wrap="">Hello,
2008/4/22, Ricardo Alberto Schutz <a class="moz-txt-link-rfc2396E" href="mailto:ricardo@redix.com.br"><ricardo@redix.com.br></a>:
</pre>
<blockquote type="cite">
<pre wrap="">Can someone help on this?
We are having some trouble with BBWin. Our linux clients are configured in
central mode, so all the configuration is made on the server. Now we have to
watch some Windows clients, which are configured in local mode.
The problem is with the "msgs". One specific client goes purple sometimes.
But not the entire host, only msgs column. Procs, disk, memory, svcs and etc
are all green, only msgs column goes purple.
My BBWin.cfg is as follows
<?xml version="1.0" encoding="utf-8" ?> <configuration> <bbwin> <setting
name="bbdisplay" value="ourbbdisplay:1984" />
...
<setting name="mode" value="local" /> <setting name="configclass"
value="win32" /> ...
<load name="msgs" value="msgs.dll"/> <load name="procs"
value="procs.dll"/> <load name="stats" value="stats.dll"/>
<load many others...>
...
</bbwin> <cpu> ...
</cpu> <disk> ...
</disk> <externals> ...
</externals> <memory> ...
</memory> <msgs> <setting name="alwaysgreen" value="false" /> <setting
name="delay" value="30m" /> <match logfile="System" type="error"
alarmcolor="red" /> <match logfile="System" type="warning"
alarmcolor="yellow" /> <match logfile="Application" type="error"
alarmcolor="red" /> <match logfile="Application" type="warning"
alarmcolor="yellow" /> <match logfile="Security" type="fail" />
<ignore logfile="Security" eventid="537" /> <ignore logfile="Application"
eventid="17" />
</msgs> <procs> ...
</procs> <svcs> ...
</svcs> <uptime> ...
</uptime> </configuration>
Is there something wrong with the configuration? How can I find out why is
it going purple? There's no "Client data" avaliable, maybe because it's
running in "local mode"?
</pre>
</blockquote>
<pre wrap=""><!---->
The problem may be that there are too many events in your event log,
so it takes too much time to get the last 30 minutes events to be sent
to hobbit.
Could you check how many events are generated in your event log every minute ?
Regards,
</pre>
</blockquote>
</body>
</html>