Hi, Archives functionality is designed to log everything (all the events, be alerts or not), I think is pretty normal that this file grows so much if you have a large environment.
I can't see a way to make OSSEC rotate the file more than daily (or split it), if you want to split the file with an external application (like logrotate), maybe that works, I just test it and OSSEC does not complain if you modify alerts.log or archives.log. Anyway be aware of not deleting *archives.log* symlink or *archives/year/month/ossec-archives-day.log,* OSSEC won't register any events until next day. Regards, Pedro S. On Friday, February 26, 2016 at 2:14:30 PM UTC+1, Openshaw, Dave wrote: > > Hello > > > > Please tell me, how can I change settings for log rotation by > ossec-monitord? I see only options that change compression and signing. > > If this is not possible can I use logrotate.d to produce splinter copies > of the ‘archives’ file (which is very large in my environment) on a more > regular basis than the daily copy ? will chroot limitation allow this ? > > > > The reason for this is that we do not use OSSEC as the SIEM in this > scenario and therefore parse the archives file on a realtime basis using a 3 > rd party SIEM agent which does not like enormous/dynamic files. > > > > Kind Regards > > *Dave.O * > > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.