Here is my solution if you are using active response and allow remote commands.
AR Script (/var/ossec/active-response/bin/fix-var.sh)
#!/bin/bash
ARCommand='rm -rf /var/ossec/queue/diff/local/'
RDate=`date`
LOG=/var/ossec/logs/ar.log
date >> ${LOG}
$ARCommand >> ${LOG}
AR Rule (/var/ossec/rules/local_rules.xml)
<rule id="100113" level="8" >
<if_sid>530</if_sid>
<match>ossec: output: 'df /var':</match>
<regex>DiskFull</regex>
<description>/var is getting full. Clearing logs</description>
<group>low_diskspace,</group>
</rule>
Command (/var/ossec/etc/shared/agent.conf)
<localfile>
<log_format>command</log_format>
<command>Disk=`df /var | tail -1 | awk '{print $2}'`;vSize=`du
/var/ossec/queue/diff/local | awk '{print $1}' | tail -1`;dStatus=`df -h /var |
tail -1`;dStatus=`df -h /var | tail -1`;if [[ ${percent} -gt "75" ]]; then echo
-n "DiskFull ${dStatus}";fi</command>
<frequency>360</frequency>
<alias>df /var</alias>
</localfile>
Note: You can change the percentage at which this is activated to fit your
environment. (if [[ ${percent} -gt "75" ]]) Change the ‘75’ to the percentage
you would like it to activate.
From: <ossec-list@googlegroups.com> on behalf of Bee esS <bs27...@gmail.com>
Reply-To: "ossec-list@googlegroups.com" <ossec-list@googlegroups.com>
Date: Thursday, April 20, 2017 at 1:03 PM
To: ossec-list <ossec-list@googlegroups.com>
Subject: [ossec-list] Re: Deleting the OSSEC agent 'queue' directory
Bump.
On Wednesday, 19 August 2015 10:51:26 UTC-4, Jamey B wrote:
I'm making a CRON job to remove anything in the queue folder, would this be a
good CRON job if I wanted the directory cleared if the items are over 5 days
old and I want it ran once a day at 10PM? The last time I took my OSSEC server
down, the agent disk space started getting too big in
/var/ossec/queue/diff/local after a few weeks. Would any other directories do
the same thing, or is this the only directory that gets queue data?
0 22 * * * /usr/bin/find /var/ossec/queue/diff/local/* -mtime +5 -exec rm {} \;
I don't want the OSSEC agent to take up a lot of disk space, what else could I
do?
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
ossec-list+unsubscr...@googlegroups.com<mailto:ossec-list+unsubscr...@googlegroups.com>.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
