Hi all, I found this out the hard way (or I'm just naive), but it looks like OSSEC copies all dirs/files you want to enabled "report_changes" on to /var/ossec/queue/diff/local. Gotta be really careful with this depending on where you've installed OSSEC. In my case, I installed in / var with limited space. After running a syscheck OSSEC started behaving badly and sent a flood of syscheck alerts to my inbox, saying the New md5/sha1sum is: 'xxx'
Anyway, just a warning that running syscheck with report_changes="yes" can be dangerous if you're watching directories that may have large files. The remedy: either a) make sure OSSEC is in a directory with tons of space or b) make sure to ignore the 'large' files (this could get tedious). Just a heads-up guys!
