Answers inline below.
On 4/20/17, 2:17 PM, "ossec-list@googlegroups.com on behalf of B. S."
<ossec-list@googlegroups.com on behalf of bs27...@gmail.com> wrote:
Kewl! Thank you!
> Here is my solution if you are using active response and allow remote
commands.
Ah, but reading it, you also answer local installs! Thank you!
So, just deleting files in /var/ossec/queue/diff/local/ won't befuddle
ossec? – I had the same concern but have not ran into any major issues with
deleting this directory. I have run into a couple of minor issues where a file
changes but you do not receive the diff in the alerts log. I believe this is
because once you delete the ‘diff/local’ directory, the agent does not have the
previous version of the file to perform the diff.
What are the consequences / impact? Loss of change history, presumably. –
As long as all of the events/logs are being forwarded to the OSSEC server you
should not have any issues. This directory only keeps the diffs and the current
state of the files that are being monitored with the ‘report_changes’ option.
Once a change has been found the diff is forwarded to the OSSEC console.
er, more precisely, loss of change history between versions at a point
in time, I guess.
On 04/20/2017 01:41 PM, Patrick Tobin wrote:
> Here is my solution if you are using active response and allow remote
commands.
>
> AR Script (/var/ossec/active-response/bin/fix-var.sh)
>
> #!/bin/bash
> ARCommand='rm -rf /var/ossec/queue/diff/local/'
> RDate=`date`
> LOG=/var/ossec/logs/ar.log
> date >> ${LOG}
> $ARCommand >> ${LOG}
>
> AR Rule (/var/ossec/rules/local_rules.xml)
>
> <rule id="100113" level="8" >
> <if_sid>530</if_sid>
> <match>ossec: output: 'df /var':</match>
> <regex>DiskFull</regex>
> <description>/var is getting full. Clearing logs</description>
> <group>low_diskspace,</group>
> </rule>
>
> Command (/var/ossec/etc/shared/agent.conf)
>
> <localfile>
> <log_format>command</log_format>
> <command>Disk=`df /var | tail -1 | awk '{print $2}'`;vSize=`du
/var/ossec/queue/diff/local | awk '{print $1}' | tail -1`;dStatus=`df -h /var |
tail -1`;dStatus=`df -h /var | tail -1`;if [[ ${percent} -gt "75" ]]; then echo
-n "DiskFull ${dStatus}";fi</command>
> <frequency>360</frequency>
> <alias>df /var</alias>
> </localfile>
>
> Note: You can change the percentage at which this is activated to fit
your environment. (if [[ ${percent} -gt "75" ]]) Change the ‘75’ to the
percentage you would like it to activate.
>
>
>
> From: <ossec-list@googlegroups.com> on behalf of Bee esS
<bs27...@gmail.com>
> Reply-To: "ossec-list@googlegroups.com" <ossec-list@googlegroups.com>
> Date: Thursday, April 20, 2017 at 1:03 PM
> To: ossec-list <ossec-list@googlegroups.com>
> Subject: [ossec-list] Re: Deleting the OSSEC agent 'queue' directory
>
> Bump.
>
> On Wednesday, 19 August 2015 10:51:26 UTC-4, Jamey B wrote:
> I'm making a CRON job to remove anything in the queue folder, would this
be a good CRON job if I wanted the directory cleared if the items are over 5
days old and I want it ran once a day at 10PM? The last time I took my OSSEC
server down, the agent disk space started getting too big in
/var/ossec/queue/diff/local after a few weeks. Would any other directories do
the same thing, or is this the only directory that gets queue data?
>
> 0 22 * * * /usr/bin/find /var/ossec/queue/diff/local/* -mtime +5 -exec rm
{} \;
>
>
> I don't want the OSSEC agent to take up a lot of disk space, what else
could I do?
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to
ossec-list+unsubscr...@googlegroups.com<mailto:ossec-list+unsubscr...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
