This seems to have solved the same syscheckd problem on FreeBSD 6.3 except that for the installed port the directory is /usr/local/ossec- hids/queue/syscheck.
On Jan 21, 8:52 am, Peter Robinson <[EMAIL PROTECTED]> wrote: > Thanks Dan > > removal instructions much appreciated. > > Pete > > On Mon, 2008-01-21 at 06:19 -0400, Daniel Cid wrote: > > Hi Pete, > > > I think your problem is really related to moving the ossec installs > > around. To properly remove it, > > just: > > > 1-Stop the ossec processes > > 2-Remove the /var/ossec directory > > 3-Remove /etc/ossec-init.conf > > > As for syscheck, all its data is stored at /var/ossec/queue/syscheck. > > So, if you remove any file > > stored in there (after stopping ossec), you should clean it up. > > > Hope it helps. > > > -- > > Daniel B. Cid > > dcid ( at ) ossec.net > > > On Jan 18, 2008 10:40 AM, Peter Robinson <[EMAIL PROTECTED]> wrote: > > > > We haven't touched configuration in internal_options nor in syscheck > > > configs and had been running fine for over 2 years then bam! > > > > As part of the syscheck, is there some internal store of data which has > > > gotten into a mess? If so, can I delete it and restart? > > > > thanks > > > > Pete > > > > On Fri, 2008-01-18 at 10:17 -0200, Rodrigo Montoro (Sp0oKeR) wrote: > > > > Hi Peter, > > > > Try some tunning at /var/ossec/etc/internal_options.conf > > > > And which directories are you checking with syscheck? > > > > > Regards, > > > > > Rodrigo Montoro (Sp0oKeR) > > > > > On Jan 18, 2008 7:33 AM, Peter Robinson <[EMAIL PROTECTED]> wrote: > > > > > > Hi OSSEC has been doing a great job for us on around 7 Debian and > > > > > Ubuntu > > > > > servers for the last few years. Thank you !! > > > > > > However recently whilst doing some maintenance and server rebuilds we > > > > > have run into problems on 2 machines were we get CPU hitting 90% for > > > > > like 4 days either on analysisd or syscheckd. On one machine (the > > > > > OSSEC > > > > > server) we removed a large amount of backup ~20 G. On the other > > > > > machine > > > > > (ossec client to this server) we moved the OSSEC install directory. > > > > > > Somehow I think the processes are trying to figure out where all this > > > > > data has gone. > > > > > > We were running on ver 1.2 so I have upgraded to 1.4 using tarball but > > > > > problem happens after a few days. Do you have any solution or guidance > > > > > on how to effectively remove ossec and re-install? > > > > > > Thanks > > > > > > Pete
