Hi Pete, I think your problem is really related to moving the ossec installs around. To properly remove it, just:
1-Stop the ossec processes 2-Remove the /var/ossec directory 3-Remove /etc/ossec-init.conf As for syscheck, all its data is stored at /var/ossec/queue/syscheck. So, if you remove any file stored in there (after stopping ossec), you should clean it up. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Jan 18, 2008 10:40 AM, Peter Robinson <[EMAIL PROTECTED]> wrote: > > > We haven't touched configuration in internal_options nor in syscheck > configs and had been running fine for over 2 years then bam! > > As part of the syscheck, is there some internal store of data which has > gotten into a mess? If so, can I delete it and restart? > > thanks > > Pete > > > > > On Fri, 2008-01-18 at 10:17 -0200, Rodrigo Montoro (Sp0oKeR) wrote: > > Hi Peter, > > Try some tunning at /var/ossec/etc/internal_options.conf > > And which directories are you checking with syscheck? > > > > Regards, > > > > Rodrigo Montoro (Sp0oKeR) > > > > > > On Jan 18, 2008 7:33 AM, Peter Robinson <[EMAIL PROTECTED]> wrote: > > > > > > > > > Hi OSSEC has been doing a great job for us on around 7 Debian and Ubuntu > > > servers for the last few years. Thank you !! > > > > > > However recently whilst doing some maintenance and server rebuilds we > > > have run into problems on 2 machines were we get CPU hitting 90% for > > > like 4 days either on analysisd or syscheckd. On one machine (the OSSEC > > > server) we removed a large amount of backup ~20 G. On the other machine > > > (ossec client to this server) we moved the OSSEC install directory. > > > > > > Somehow I think the processes are trying to figure out where all this > > > data has gone. > > > > > > We were running on ver 1.2 so I have upgraded to 1.4 using tarball but > > > problem happens after a few days. Do you have any solution or guidance > > > on how to effectively remove ossec and re-install? > > > > > > Thanks > > > > > > Pete > > > > > > > > > > > > > >
