If you enable all the checks on the server i.e. file integrity check,rootkit detection etc, than yes it sends much amount of data to the OSSEC Server i.e hash info about each file on the server,
Make selections of the files to be monitored and review the ossec.conf file accordingly, only put those directories under <directories></directories> in <syscheck> block which are most important,and put others in <ignore></ignore> tag, also change the frequency of integrity check as per ur needs, the default is set to 86400(24 hours). An example would be
The default configuration to monitor a Unix, Linux, or BSD operating system is:
Code:
<ossec_config>
<syscheck>
<frequency>86400</frequency>
<directories check_all=“yes”>/etc,/usr/bin,/usr/sbin</directories>
<directories check_all=“yes”>/bin,/sbin</directories>
<ignore>/etc/mtab</ignore>
<ignore>/etc/mnttab</ignore>
</syscheck>
</ossec_config>
The options which you can use with <directories> tag are
Code:
Option Description
check_all Perform all available integrity checks
check_sum Use MD5/SHA1 to check the integrity of files
check_size Check files for size changes
check_owner Check files for ownership changes
check_group Check files for group ownership changes
check_perm Check files for permission changes