6

A few days ago I noticed that the disk of my Ubuntu server was almost full. I dug a bit and found out that the disk space was used by OSSEC, in the /var/ossec/queue/diff folder.

I wanted to try something immediate so I deleted the contents of this folder. Everything was working normally and the disk space usage back to a "normal" amount.

But the OSSEC queue folder is growing again.

Is there a setting to prevent the OSSEC queue from using all the disk space?

4 Answers 4

1

As far as I know, OSSEC itself doesn't delete logs. Look at the documentation

Where are OSSEC’s logs stored?¶

On OSSEC server and local installs there are several classes of OSSEC logs. There are the logs created by the OSSEC daemons, the log messages from the agents, and the alerts. Agent installs do not have logs from other agents or alerts, but do have logs created by the OSSEC processes.

All logs are stored in subdirectories of /var/ossec/logs. OSSEC’s log messages are stored in /var/ossec/logs/ossec.log.

Log messages from the agents are not stored by default. After analysis they are deleted unless the option is included in the manager’s ossec.conf. If set all log messages sent to the manager are stored in /var/ossec/logs/archives/archives.log and rotated daily.

Alerts are stored in /var/ossec/logs/alerts/alerts.log, and rotated daily.

You can use logrotate to rotate the ossec logs, but the /var/ossec/queue/diff folder is another story.

You can safely delete the files in there and maintain OSSEC functionality, but you will lose the difference reports.

3
  • 2
    Sorry but I don't see the point between the logs and the folder /var/ossec/queue/diff that I mention. For now I'm only concerned about the disk space usage of that specific folder (logs only use a few KB).
    – Sinklar
    Commented May 7, 2015 at 12:57
  • 2
    @Sinklar it was just a general tip to use logrotate on OSSEC logs, the other problem (/var/ossec/queue/diff) is exactly what I wrote. The directory won't be cleared / rotated by OSSEC or anything else, you have to write a script to delete /backup and move the files now and then, or delete them manually. Or you just stop using the option for logging file differences if you don't use them.
    – Lenniey
    Commented May 7, 2015 at 13:53
  • 1
    @Lenniey what is stored in /var/ossec/queue/diff ? I can see a lot of files called 'last-entry', makes me assume that everytime this scan is run, last copy of the file is stored (for even binaries). My /var/ossec/queue/diff /local/etc is 16GB. At this point I have started to think it's not just last entry but a number of entries because my /etc is very light. Is there a way of clearing disk without impacting difference report? Commented Jan 9, 2018 at 15:07
1

It seems if you add report_changes to your directories like i did it c an cause this: /home/wordpress/sites/

Report Changes OSSEC supports sending diffs when changes are made to text files on Linux and unix systems.

Configuring syscheck to show diffs is simple, add report_changes="yes" to the

/etc /bin,/sbin Note Report Changes can only work with text files, and the changes are stored on the agent inside /var/ossec/queue/diff/local/dir/file. If OSSEC has not been compiled with libmagic support, report_changes will copy any file designated, e.g. mp3, iso, executable, /chroot/dev/urandom (which would fill your hard drive). So unless libmagic is used, be very carefull on which directory you enable report_changes.

0

Logrotate is the answer (as mentioned by Lenniey), but this'll only work once in a while. Why not use the long forgotten lore of disk quota to prevent logs from eating all free space?

1
  • Maybe I just don't understand why you also suggest that but... again, I don't see a relation between logrotate, the OSSEC diff disk usage and how to tell OSSEC diff to not use all available disk space. It's not about logs, as far as I can tell.
    – Sinklar
    Commented May 7, 2015 at 13:10
0

Very old post, but as I find myself in same situation again, I will document my solution here this time. May help someone or at least my future self.

First to answer OP, the main and only way to control the diff generation with OSSEC itself is the report_changes parameter on <directories> element in your ossec.conf file. For example:

<directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin,/boot</directories>

The report_changes param is what tells ossec to create a diff for each file in that directory. That diff is created each time a file is changed. So you can imagine why the diff dir gets huge over time.

Unfortunately there is no other way to control that with ossec itself. It's up to you to cleanup the diff folder yourself or just disable reporting on folders that get too big.

I chose the first option: cleanup the diff folder myself. For that I created a simple bash script that I run with daily cron. It goes something like this:

DIFFPATH=/var/ossec/queue/diff/local
KEEP_DAYS=365

# find all files which name starts with 'state' or 'diff', not modified in last 365 days
for $file in $(find $DIFFPATH -type f -name '[state|diff]*' -mtime +$KEEP_DAYS)
do
    rm $file
done

Note that this does not delete directories, nor the last-entry file. Only the files diff.1583679666 and state.1583679666 files are deleted. So you will still keep the latest version, even if its very old.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .