Did you check /var/ossec/etc/internal_options.conf at the bottom for anything with a debug level of 1 or 2?
On Fri, Jul 1, 2011 at 3:17 PM, William Voyek <[email protected]>wrote: > Hello List, > > I have just Installed OSSEC v2.5.1 on a clean install of CentOS 5.6 > and configured 19 agents to report to the server. While monitoring the > OSSEC processes I noticed that within the first 12 hours of the > install the logfile in /var/ossec/logs had grown to over 1.3 GB. > After examining the logfile I see that each line is prepended with > "ossec-analysisd: DEBUG:". I thought I may have enabled debug mode by > mistake so I did: > > /var/ossec/bin/ossec-control stop > /var/ossec/bin/ossec-control disable debug > /var/ossec/bin/ossec-control start > > But when ossec restarted I saw: > > Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)... > 2011/07/01 14:28:13 ossec-testrule: INFO: Reading local decoder file. > Started ossec-maild... > Started ossec-execd... > 2011/07/01 14:28:13 ossec-analysisd: DEBUG: Starting on debug mode - > 1309555693 > Started ossec-analysisd... > Started ossec-logcollector... > Started ossec-remoted... > Started ossec-syscheckd... > Started ossec-monitord... > Completed. > > So, how do I disable debug mode? At the rate the logfile is filling > the 50GB partition I have mounted at /var/ossec will fill before the > month is over. > > Thanks, > William > > P.S. I sent this message once already but I did not see it come > through. Sorry if it gets double posted. >
