Hi all, Just thought I would report that the following bash script doesn't seem to have any adverse affects on OSSEC but will at least keep inode utilization in check.
Aaron #!/bin/bash #script used for cleaning up ossec dirs cd /var/ossec/queue/diff mdir=`ls -1` /etc/init.d/ossec stop find ./$mdir/535 -type f -name state* -mtime +7 | xargs rm -f /etc/init.d/ossec start On Mon, May 6, 2013 at 6:38 PM, Jb Cheng <[email protected]> wrote: > The queue/diff/<server>/535/ directory is used for rule ID 535 as shown in > etc/ruels/ossec-rules.xml. > For Unix-like systems, syscheck daemon uses the output of 'last -n 5' to > detect changes in logged-in users. > > Windows systems use a different mechanism for this so you don't see them > under /diff/. > > I do agree with you that the number of files under /diff/ should not grow > without an upper bound. > Perhaps someone can offer a fix...? > > On Monday, May 6, 2013 5:51:03 AM UTC-7, ab wrote: >> >> Hi all, >> Just following up. inode usage continues to grow. I took a look at >> /var/ossec/queue/diff/server1/**535 (I've inserted server1 by replacing >> the name of one of our agents) and there are thousands of files with the >> name state.number (number looks like a random or incremented number?). I >> checked the contents of one of these files and they appear to be the output >> of last -n 5 command which is in the osssec.conf file of each of our Linux >> agents. There aren't any directories in /var/ossec/queue/diff named after >> any of our Windows clients. As I reported earlier, I did clear out >> /var/ossec/queue/diff and reset the syscheck database without any side >> affects a few days ago. Would there be any issues by continuning to purge >> /var/ossec/queue/diff and if so, should clear the syscheck database when >> doing so? I'm guessing this is a bug? Please advise and thanks. >> >> Aaron >> >> >> On Thu, May 2, 2013 at 3:39 PM, Aaron Bliss <[email protected]> wrote: >> >>> Hi all, >>> In our environment, on the management server (version 2.7, CentOS 6 64 >>> bit), OSSEC is installed on a dedicated mount point at /var/ossec (fairly >>> new install, has been online since this past December). We have a mixture >>> of Windows and Linux agents (200 or so). The /var/ossec mount point on the >>> management server ran out of inodes, despite only having about 3% of 20 >>> gigs disk utilization. I determined that the inodes (1.3 million of them) >>> were getting used in /var/ossec/queue/diff. I was able to clean them up >>> and clear syscheck database of the agents, after which everything started >>> working again. However, I was wondering what piece of OSSEC would be >>> writing to /var/ossec/queue/diff and which configuration option would be >>> doing so? Please advise and thanks. >>> >>> Aaron >>> >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
