> To clear a syscheck db:
> 1. stop the ossec processes on the server
> 2. /var/ossec/bin/syscheck_control -u AGENT_ID
> 3. Start the ossec processes on the server
Thank you - "To clear a syscheck db" gave me the context needed to
better understand syscheck_control --help.
So:
> 2. /var/ossec/bin/syscheck_control -u AGENT_ID
Could also have been '/var/ossec/bin/syscheck_control -u all'.
Granted, you could not know I'm on a local install with no remote agents.
However, sadly, /var/ossec/queue is still quite large. Per the OP.
In particular, in my case, /var/ossec/queue/diff
What is the appropriate way to squish this dir down?
(Corresponding question would then be, specifying a 'checkpoint'? Is
that even possible - to, say, say maintain your original, or, say, as of
1 month ago, so that diffs between then and now are kept?)
I see references to just deleting files in diff. Is that safe? i.e.
Won't befuddle ossec? (I get I'll lose the change history.)
On 04/20/2017 01:29 PM, dan (ddp) wrote:
On Thu, Apr 20, 2017 at 1:02 PM, Bee esS <bs27...@gmail.com> wrote:
If you need them shrunk, you'll have to clear the databases.
How?
When resurrecting 2+ year old threads, it might be best to offer more context.
To clear a syscheck db:
1. stop the ossec processes on the server
2. /var/ossec/bin/syscheck_control -u AGENT_ID
3. Start the ossec processes on the server
On Monday, 8 December 2014 08:03:57 UTC-5, dan (ddpbsd) wrote:
On Mon, Dec 8, 2014 at 7:17 AM, horst knete <badun...@hotmail.de> wrote:
Now looking at our /var/ossec/queue/syscheck queue directory at the
server,
this folder has an size of 5.4 GB and contains 2 "files" for almost
every
ossec-client.
Those files grow because there are changes on the systems they
represent. Those are the syscheck database files. If you need them
shrunk, you'll have to clear the databases. I don't know what the rest
of that means though (the cpu/ram/network stuff).
Because none of these lacks are given i´d like to know how i can
decrease
the size of this queue.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
