On that note, I received this error when I first noticed the issues and
tried rebooting OSSEC:
Stopping OSSEC: /var/ossec/bin/ossec-control: line 58: echo: write error: No
space left on device
[ OK ]
Starting OSSEC: 2010/10/13 14:23:16 ossec-logcollector(2301): ERROR:
Definition not found for: 'logcollector.loop_timeout'.
[FAILED]
I tried clearing out /var/ossec/queue/diff/* but when I restarted I got the
same ERROR.
I had to end up reinstalling OSSEC from scratch.
On Wed, Oct 13, 2010 at 2:42 PM, jplee3 <[email protected]> wrote:
> Hi all,
>
> I found this out the hard way (or I'm just naive), but it looks like
> OSSEC copies all dirs/files you want to enabled "report_changes" on
> to /var/ossec/queue/diff/local. Gotta be really careful with this
> depending on where you've installed OSSEC. In my case, I installed in /
> var with limited space. After running a syscheck OSSEC started
> behaving badly and sent a flood of syscheck alerts to my inbox, saying
> the New md5/sha1sum is: 'xxx'
>
> Anyway, just a warning that running syscheck with report_changes="yes"
> can be dangerous if you're watching directories that may have large
> files.
>
> The remedy: either a) make sure OSSEC is in a directory with tons of
> space or b) make sure to ignore the 'large' files (this could get
> tedious).
>
>
> Just a heads-up guys!
