Answers inline below. On 4/20/17, 2:17 PM, "ossec-list@googlegroups.com on behalf of B. S." <ossec-list@googlegroups.com on behalf of bs27...@gmail.com> wrote:
Kewl! Thank you! > Here is my solution if you are using active response and allow remote commands. Ah, but reading it, you also answer local installs! Thank you! So, just deleting files in /var/ossec/queue/diff/local/ won't befuddle ossec? – I had the same concern but have not ran into any major issues with deleting this directory. I have run into a couple of minor issues where a file changes but you do not receive the diff in the alerts log. I believe this is because once you delete the ‘diff/local’ directory, the agent does not have the previous version of the file to perform the diff. What are the consequences / impact? Loss of change history, presumably. – As long as all of the events/logs are being forwarded to the OSSEC server you should not have any issues. This directory only keeps the diffs and the current state of the files that are being monitored with the ‘report_changes’ option. Once a change has been found the diff is forwarded to the OSSEC console. er, more precisely, loss of change history between versions at a point in time, I guess. On 04/20/2017 01:41 PM, Patrick Tobin wrote: > Here is my solution if you are using active response and allow remote commands. > > AR Script (/var/ossec/active-response/bin/fix-var.sh) > > #!/bin/bash > ARCommand='rm -rf /var/ossec/queue/diff/local/' > RDate=`date` > LOG=/var/ossec/logs/ar.log > date >> ${LOG} > $ARCommand >> ${LOG} > > AR Rule (/var/ossec/rules/local_rules.xml) > > <rule id="100113" level="8" > > <if_sid>530</if_sid> > <match>ossec: output: 'df /var':</match> > <regex>DiskFull</regex> > <description>/var is getting full. Clearing logs</description> > <group>low_diskspace,</group> > </rule> > > Command (/var/ossec/etc/shared/agent.conf) > > <localfile> > <log_format>command</log_format> > <command>Disk=`df /var | tail -1 | awk '{print $2}'`;vSize=`du /var/ossec/queue/diff/local | awk '{print $1}' | tail -1`;dStatus=`df -h /var | tail -1`;dStatus=`df -h /var | tail -1`;if [[ ${percent} -gt "75" ]]; then echo -n "DiskFull ${dStatus}";fi</command> > <frequency>360</frequency> > <alias>df /var</alias> > </localfile> > > Note: You can change the percentage at which this is activated to fit your environment. (if [[ ${percent} -gt "75" ]]) Change the ‘75’ to the percentage you would like it to activate. > > > > From: <ossec-list@googlegroups.com> on behalf of Bee esS <bs27...@gmail.com> > Reply-To: "ossec-list@googlegroups.com" <ossec-list@googlegroups.com> > Date: Thursday, April 20, 2017 at 1:03 PM > To: ossec-list <ossec-list@googlegroups.com> > Subject: [ossec-list] Re: Deleting the OSSEC agent 'queue' directory > > Bump. > > On Wednesday, 19 August 2015 10:51:26 UTC-4, Jamey B wrote: > I'm making a CRON job to remove anything in the queue folder, would this be a good CRON job if I wanted the directory cleared if the items are over 5 days old and I want it ran once a day at 10PM? The last time I took my OSSEC server down, the agent disk space started getting too big in /var/ossec/queue/diff/local after a few weeks. Would any other directories do the same thing, or is this the only directory that gets queue data? > > 0 22 * * * /usr/bin/find /var/ossec/queue/diff/local/* -mtime +5 -exec rm {} \; > > > I don't want the OSSEC agent to take up a lot of disk space, what else could I do? > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com<mailto:ossec-list+unsubscr...@googlegroups.com>. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.