Hi,
i append a patch which disables the usage of state.[timestamp] files for
rule diff's.
These files are as far i see never used by ossec again. ossec uses only
the last-entry file.
I tested the patch only short, so it might not work for you, but feel
free to test.
Best regards
On 05/14/2013 04:38 PM, Aaron Bliss wrote:
> Hi all,
> Just thought I would report that the following bash script doesn't
> seem to have any adverse affects on OSSEC but will at least keep inode
> utilization in check.
>
> Aaron
>
> #!/bin/bash
>
> #script used for cleaning up ossec dirs
>
> cd /var/ossec/queue/diff
> mdir=`ls -1`
>
> /etc/init.d/ossec stop
> find ./$mdir/535 -type f -name state* -mtime +7 | xargs rm -f
> /etc/init.d/ossec start
>
>
> On Mon, May 6, 2013 at 6:38 PM, Jb Cheng <[email protected]
> <mailto:[email protected]>> wrote:
>
> The queue/diff/<server>/535/ directory is used for rule ID 535 as
> shown in etc/ruels/ossec-rules.xml.
> For Unix-like systems, syscheck daemon uses the output of 'last -n
> 5' to detect changes in logged-in users.
>
> Windows systems use a different mechanism for this so you don't
> see them under /diff/.
>
> I do agree with you that the number of files under /diff/ should
> not grow without an upper bound.
> Perhaps someone can offer a fix...?
>
> On Monday, May 6, 2013 5:51:03 AM UTC-7, ab wrote:
>
> Hi all,
> Just following up. inode usage continues to grow. I took a
> look at /var/ossec/queue/diff/server1/535 (I've inserted
> server1 by replacing the name of one of our agents) and there
> are thousands of files with the name state.number (number
> looks like a random or incremented number?). I checked the
> contents of one of these files and they appear to be the
> output of last -n 5 command which is in the osssec.conf file
> of each of our Linux agents. There aren't any directories in
> /var/ossec/queue/diff named after any of our Windows clients.
> As I reported earlier, I did clear out /var/ossec/queue/diff
> and reset the syscheck database without any side affects a few
> days ago. Would there be any issues by continuning to purge
> /var/ossec/queue/diff and if so, should clear the syscheck
> database when doing so? I'm guessing this is a bug? Please
> advise and thanks.
>
> Aaron
>
>
> On Thu, May 2, 2013 at 3:39 PM, Aaron Bliss
> <[email protected]> wrote:
>
> Hi all,
> In our environment, on the management server (version 2.7,
> CentOS 6 64 bit), OSSEC is installed on a dedicated mount
> point at /var/ossec (fairly new install, has been online
> since this past December). We have a mixture of Windows
> and Linux agents (200 or so). The /var/ossec mount point
> on the management server ran out of inodes, despite only
> having about 3% of 20 gigs disk utilization. I determined
> that the inodes (1.3 million of them) were getting used in
> /var/ossec/queue/diff. I was able to clean them up and
> clear syscheck database of the agents, after which
> everything started working again. However, I was
> wondering what piece of OSSEC would be writing to
> /var/ossec/queue/diff and which configuration option would
> be doing so? Please advise and thanks.
>
> Aaron
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to [email protected]
> <mailto:ossec-list%[email protected]>.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
>
> --
>
> ---
> You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
*** dodiff.c.old 2013-05-14 17:08:04.331522742 +0200
--- dodiff.c 2013-05-14 17:13:48.299529199 +0200
***************
*** 90,96 ****
int date_of_change;
char *htpt = NULL;
char flastfile[OS_SIZE_2048 +1];
- char fdifffile[OS_SIZE_2048 +1];
char flastcontent[OS_SIZE_8192 +1];
--- 90,95 ----
***************
*** 174,203 ****
}
- /* File was modified. */
- if(lf->hostname[0] == '(')
- {
- htpt = strchr(lf->hostname, ')');
- if(htpt)
- {
- *htpt = '\0';
- }
- snprintf(fdifffile, OS_SIZE_2048, "%s/%s/%d/state.%d", DIFF_DIR, lf->hostname+1,
- currently_rule->sigid, date_of_change);
-
- if(htpt)
- {
- *htpt = ')';
- }
- htpt = NULL;
- }
- else
- {
- snprintf(fdifffile, OS_SIZE_2048, "%s/%s/%d/state.%d", DIFF_DIR, lf->hostname,
- currently_rule->sigid, date_of_change);
- }
-
- rename(flastfile, fdifffile);
if(!_add2last(lf->log, lf->size, flastfile))
{
merror("%s: ERROR: unable to create last file: %s", ARGV0, flastfile);
--- 173,178 ----
