On Thu, Jul 7, 2011 at 11:44 AM, dan (ddp) <[email protected]> wrote:
> Other than the log message there isn't any indication the processes
> are running in debug mode.
> This is how they generally look in debug mode:
> root 4356 4.4 0.4 7600 7720 ?? S 29Jun11 185:22.82
> /var/ossec/bin/ossec-syscheckd -d
> ossecm 36 0.0 0.2 4564 4940 ?? S 29Jun11 0:03.57
> /var/ossec/bin/ossec-csyslogd -d
> root 27304 0.0 0.0 536 892 ?? I 29Jun11 0:00.10
> /var/ossec/bin/ossec-execd -d
> ossec 22263 0.0 0.3 3400 5348 ?? S 29Jun11 14:07.31
> /var/ossec/bin/ossec-analysisd -d
> root 32060 0.0 0.1 884 1272 ?? S 29Jun11 0:52.38
> /var/ossec/bin/ossec-logcollector -d (ossec-logcollect)
> ossecr 30702 0.0 0.1 2916 1460 ?? S 29Jun11 0:18.68
> /var/ossec/bin/ossec-remoted -d
> ossec 28070 0.0 0.1 952 1032 ?? I 29Jun11 0:55.38
> /var/ossec/bin/ossec-monitord -d
>
> Also, that system always runs the processes in debug mode, and the log
> file isn't very big (since Feb).
>
> What kinds of messages are causing your logfile to grow to 10G?
>
It appears that for each logfile, system, eventlog, etc. monitored I'm
getting these in the log:
2011/07/07 12:07:16 ossec-analysisd: DEBUG: Checking the rules - 9
2011/07/07 12:07:16 ossec-analysisd: DEBUG: Waiting for msgs - 1310065636
2011/07/07 12:07:16 ossec-analysisd: DEBUG: Received msg:
1:(myhost.mydomain) 10.0.0.101->WinEvtLog:WinEvtLog: Security:
AUDIT_SUCCESS(538): Security: a_user: MYDOMAIN: MYHOST: User Logoff:
User Name: a_user Domain: MYDOMAIN Logon ID:
(0x2,0xA12345B7) Logon Type: 3
2011/07/07 12:07:16 ossec-analysisd: DEBUG: Msg cleanup: WinEvtLog:
Security: AUDIT_SUCCESS(538): Security: a_user: MYDOMAIN: MYHOST: User
Logoff: User Name: a_user Domain: MYDOMAIN Logon
ID:
(0x2,0xA12345B7) Logon Type: 3
There was 10,000+ messages logged to that file in the last five minutes.
William
