Hello List, I have just Installed OSSEC v2.5.1 on a clean install of CentOS 5.6 and configured 19 agents to report to the server. While monitoring the OSSEC processes I noticed that within the first 12 hours of the install the logfile in /var/ossec/logs had grown to over 1.3 GB. After examining the logfile I see that each line is prepended with "ossec-analysisd: DEBUG:". I thought I may have enabled debug mode by mistake so I did:
/var/ossec/bin/ossec-control stop /var/ossec/bin/ossec-control disable debug /var/ossec/bin/ossec-control start But when ossec restarted I saw: Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)... 2011/07/01 14:28:13 ossec-testrule: INFO: Reading local decoder file. Started ossec-maild... Started ossec-execd... 2011/07/01 14:28:13 ossec-analysisd: DEBUG: Starting on debug mode - 1309555693 Started ossec-analysisd... Started ossec-logcollector... Started ossec-remoted... Started ossec-syscheckd... Started ossec-monitord... Completed. So, how do I disable debug mode? At the rate the logfile is filling the 50GB partition I have mounted at /var/ossec will fill before the month is over. Thanks, William P.S. I sent this message once already but I did not see it come through. Sorry if it gets double posted.
