Re: [ossec-list] Re: Deleting the OSSEC agent 'queue' directory

2017-04-20 Thread Patrick Tobin
Answers inline below. On 4/20/17, 2:17 PM, "ossec-list@googlegroups.com on behalf of B. S." wrote: Kewl! Thank you! > Here is my solution if you are using active response and allow remote commands. Ah, but

Re: [ossec-list] Very big syscheck queue - how to deal with it?

2017-04-20 Thread dan (ddp)
On Thu, Apr 20, 2017 at 2:07 PM, B. S. wrote: >> To clear a syscheck db: >> 1. stop the ossec processes on the server >> 2. /var/ossec/bin/syscheck_control -u AGENT_ID >> 3. Start the ossec processes on the server > > Thank you - "To clear a syscheck db" gave me the context

[ossec-list] Override eventlog with eventchannel via Centralized agent config

2017-04-20 Thread Brett Simpson
I wasn't sure how to do this or if it's possible but I have a large number of ossec agents where I want to filter out specific Windows Event ID agent side. If I modify the ossec.conf on the agent and replace the log_format of my System from eventlog to eventchannel it works however if I leave

Re: [ossec-list] Very big syscheck queue - how to deal with it?

2017-04-20 Thread B. S.
> To clear a syscheck db: > 1. stop the ossec processes on the server > 2. /var/ossec/bin/syscheck_control -u AGENT_ID > 3. Start the ossec processes on the server Thank you - "To clear a syscheck db" gave me the context needed to better understand syscheck_control --help. So: > 2.

[ossec-list] Re: Deleting the OSSEC agent 'queue' directory

2017-04-20 Thread Bee esS
Bump. On Wednesday, 19 August 2015 10:51:26 UTC-4, Jamey B wrote: > > I'm making a CRON job to remove anything in the queue folder, would this > be a good CRON job if I wanted the directory cleared if the items are over > 5 days old and I want it ran once a day at 10PM? The last time I took my

Re: [ossec-list] Very big syscheck queue - how to deal with it?

2017-04-20 Thread Bee esS
> If you need them shrunk, you'll have to clear the databases. How? On Monday, 8 December 2014 08:03:57 UTC-5, dan (ddpbsd) wrote: > > On Mon, Dec 8, 2014 at 7:17 AM, horst knete > wrote: > > > > Now looking at our /var/ossec/queue/syscheck queue directory at the >

Re: [ossec-list] Very big syscheck queue - how to deal with it?

2017-04-20 Thread dan (ddp)
On Thu, Apr 20, 2017 at 1:02 PM, Bee esS wrote: >> If you need them shrunk, you'll have to clear the databases. > > How? > When resurrecting 2+ year old threads, it might be best to offer more context. To clear a syscheck db: 1. stop the ossec processes on the server 2.

Re: [ossec-list] Re: Deleting the OSSEC agent 'queue' directory

2017-04-20 Thread Patrick Tobin
Here is my solution if you are using active response and allow remote commands. AR Script (/var/ossec/active-response/bin/fix-var.sh) #!/bin/bash ARCommand='rm -rf /var/ossec/queue/diff/local/' RDate=`date` LOG=/var/ossec/logs/ar.log date >> ${LOG} $ARCommand >> ${LOG} AR Rule