alienvault ossim

akanarya

Member
Dec 18, 2020
14
0
6
50
Hi,

I installed alienvault ossim on my proxmox cluster as a siem solution of my network.
Infact I guess this question can be more related with ossim itself than proxmox, but
i would like to know your experience.

Running proxmox machine has 2x4-core xeon e5410 with 16gb ram.
Ossim uses 3 cores of host cpu, because of ssse3 requirement of ossim and 7gb of ram.
On the same machine there is only one guest running additionally, which is a relatively lightweigth pihole/isc-dhcp server,
and it has a cpu load of almost none.

Ossim guest is consuming 100% cpu of 3 cores almost all time, i see python processes are taking all.
I know my server has obsolote cpus according to day but i saw that it can handle a lot of things before.
Ossim installation is new and I didnt bind any data source to ossim, just itself.
I did all updates and upgrades of ossim and to proxmox too.

I didnt try ossim on a dedicated machine so i have no experience what it will do on a standalone server.
What are your thoughts or experiences if you had about this max cpu usage ?
I learned that siem product is a kind of complex, relatively heavy solution but i havent load it now other than its default settings by now.
Can the problem be running in a virtual machine?

Thanks
 
Had a bit of experience with ossim a rather long time ago (so it might not be too accurate anymore).
ossim was rather heavyweight in general and was using quite a lot of ressources (even without doing too much in terms of NIDS, SIEM,...).
However back then the load was mostly from mysql and related parts of the stack.
also python-processes running at 100% CPU at all time - might indicate a misconfiguration on the deployment (or a bug in ossim)

As a general suggestion - check the logs inside the ossim VM - maybe the python processes write there what they are doing.

But asking in the ossim support-channels might yield a more accurate answer

I hope this helps!
 
Thanks your feedback Stoiko, sorry for my late reply, i wanted to dig it more before.
I tried many things, and dealt with the logs.
Unfortunatelly the best i could get via
-moving disk from ceph to local
-removing HIDS/NIDS plugins
-increasing the core number from 3 to 6 :))
most recent updates have more responds.
i installed it on a standalone computer, and works far better.
Probably my obsolote proxmox machines are not enough for ossim guest.
I will run the ossim on this standalone machine and be prepared for a disaster using proxmox guest.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!