There's a file in /var/ossec/bin called something like .process_list. The
debug setting is in there.
On Jul 1, 2011 7:29 PM, "William Voyek" <[email protected]> wrote:
> Hello List,
>
> I have just Installed OSSEC v2.5.1 on a clean install of CentOS 5.6
> and configured 19 agents to report to the server. While monitoring the
> OSSEC processes I noticed that within the first 12 hours of the
> install the logfile in /var/ossec/logs had grown to over 1.3 GB.
> After examining the logfile I see that each line is prepended with
> "ossec-analysisd: DEBUG:". I thought I may have enabled debug mode by
> mistake so I did:
>
> /var/ossec/bin/ossec-control stop
> /var/ossec/bin/ossec-control disable debug
> /var/ossec/bin/ossec-control start
>
> But when ossec restarted I saw:
>
> Starting OSSEC HIDS v2.5.1 (by Trend Micro Inc.)...
> 2011/07/01 14:28:13 ossec-testrule: INFO: Reading local decoder file.
> Started ossec-maild...
> Started ossec-execd...
> 2011/07/01 14:28:13 ossec-analysisd: DEBUG: Starting on debug mode -
1309555693
> Started ossec-analysisd...
> Started ossec-logcollector...
> Started ossec-remoted...
> Started ossec-syscheckd...
> Started ossec-monitord...
> Completed.
>
> So, how do I disable debug mode? At the rate the logfile is filling
> the 50GB partition I have mounted at /var/ossec will fill before the
> month is over.
>
> Thanks,
> William
>
> P.S. I sent this message once already but I did not see it come
> through. Sorry if it gets double posted.
