On Wed, Apr 25, 2012 at 8:27 AM, Valentin Avram <[email protected]> wrote: > Hello again. > [snip] > > > On Apr 23, dan (ddp) [email protected] wrote: > >> I thought auto_ignore was a server side setting. After 3 change >> notifications you shouldn't get any more for that file. How quickly it >> changes doesn't matter. > > > auto_ignore (as far as i know) is documented as a server side setting. And > on this server is set to "yes". However, i still get notifications. And i > still need to find some spare time and dig more on this issue (the "spam" > email we're getting is a bit annoying). > > >> The format isn't exactly optimal. The files don't get smaller until >> you make them smaller (clearing the DB). > > > As i asked before: Stupid question: what happens if i clear the DB (except > for the file getting way smaller)? >
You'll start getting alerts for anything that was ignored. One of the programs in /var/ossec/bin can clear the db, just make sure the OSSEC processes are stopped before doing so. >> The process isn't exactly optimal. It's something that's being looked >> into, but I don't think much has been done yet. > > >> > - why is it random-seeking and reading only in 4K blocks (can the read >> > buffer be tuned?) >> > >> >> No idea. > > > My guess is that it 4K is the size of some buffer, however i have not had > any time to look at the source code to check. > > From what you know, did anything change in this matter between OSSEC 2.5.1 > and 2.6.0? What i mean is: upgrading from 2.5.1 to 2.6.0 would fix anything > related to this issue? (besides me cleaning the DB). > > Not that I know of, but 2.6 was released AGES ago, so I don't remember much of what went into it. I also don't generally run the releases, so it's been even longer since anything that was new in 2.6 was new to me. > Thank you for your time. > > V.
