The queue/diff/<server>/535/ directory is used for rule ID 535 as shown in etc/ruels/ossec-rules.xml. For Unix-like systems, syscheck daemon uses the output of 'last -n 5' to detect changes in logged-in users.
Windows systems use a different mechanism for this so you don't see them under /diff/. I do agree with you that the number of files under /diff/ should not grow without an upper bound. Perhaps someone can offer a fix...? On Monday, May 6, 2013 5:51:03 AM UTC-7, ab wrote: > > Hi all, > Just following up. inode usage continues to grow. I took a look at > /var/ossec/queue/diff/server1/535 (I've inserted server1 by replacing the > name of one of our agents) and there are thousands of files with the name > state.number (number looks like a random or incremented number?). I > checked the contents of one of these files and they appear to be the output > of last -n 5 command which is in the osssec.conf file of each of our Linux > agents. There aren't any directories in /var/ossec/queue/diff named after > any of our Windows clients. As I reported earlier, I did clear out > /var/ossec/queue/diff and reset the syscheck database without any side > affects a few days ago. Would there be any issues by continuning to purge > /var/ossec/queue/diff and if so, should clear the syscheck database when > doing so? I'm guessing this is a bug? Please advise and thanks. > > Aaron > > > On Thu, May 2, 2013 at 3:39 PM, Aaron Bliss <[email protected]<javascript:> > > wrote: > >> Hi all, >> In our environment, on the management server (version 2.7, CentOS 6 64 >> bit), OSSEC is installed on a dedicated mount point at /var/ossec (fairly >> new install, has been online since this past December). We have a mixture >> of Windows and Linux agents (200 or so). The /var/ossec mount point on the >> management server ran out of inodes, despite only having about 3% of 20 >> gigs disk utilization. I determined that the inodes (1.3 million of them) >> were getting used in /var/ossec/queue/diff. I was able to clean them up >> and clear syscheck database of the agents, after which everything started >> working again. However, I was wondering what piece of OSSEC would be >> writing to /var/ossec/queue/diff and which configuration option would be >> doing so? Please advise and thanks. >> >> Aaron >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
