Hi,
I think I just found out. Since Im running OSSEC on Server 2012 and in order to correctly view Event Viewer logs, I switched "eventlog" to "eventchannel" on ossec.conf event viewer settings. Witch, according to the OSSEC documentation, uses the "new" Event API for log translation. http://ossec-docs.readthedocs.io/en/latest/syntax/head_ossec_config.localfile.html Now, for troubleshooting I rolled back and it started working normally with normal disk consumption. I guess it’s this setting. However, I really needed it K otherwise I won’t be able to retrieve all the information from the event viewer logs. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.