For several days now we are having problem where /var/log/messages grows until the disk is full. It is being filled with messages from ossec-alerts.
83158585: mail - syslog,errors, Jan 23 04:47:09 ossec-server ossec-alert ** Alert 1421988260.1938814950: mail - syslog,errors, Jan 23 04:47:09 ossec-server ossec-alert 2015 Jan 23 04:44:20 ossec-server->/var/log/messages Jan 23 04:47:09 ossec-server ossec-alert Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' Jan 23 04:47:09 ossec-server ossec-alert Jan 23 04:33:46 ossec-server ossec-alert ** Alert 1421987604.967276741: mail - syslog,errors, Jan 23 04:47:09 ossec-server ossec-alert ** Alert 1421988260.1938815225: mail - syslog,errors, Jan 23 04:47:09 ossec-server ossec-alert 2015 Jan 23 04:44:20 ossec-server->/var/log/messages Jan 23 04:47:09 ossec-server ossec-alert Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' Jan 23 04:47:09 ossec-server ossec-alert Jan 23 04:33:46 ossec-server ossec-alert Jan 23 04:28:36 ossec-server ossec-alert Jan 23 04:25:48 ossec-server ossec-alert Jan 23 04:23:13 ossec-server ossec-alert Jan 23 04:22:16 ossec-server ossec-alert Jan 23 04:21:57 ossec-server ossec-alert ** Alert 1421986880.30248404: mail - syslog,errors, This logs is growing by several GBs per hour. Digging a little deeper we found: > grep -ri 1421987231.483412908 * 2015/Jan/ossec-alerts-23.log:Jan 23 04:28:36 ossec-server ossec-alert ** Alert 1421987231.483412908: mail - syslog,errors, 2015/Jan/ossec-alerts-23.log:Jan 23 04:33:46 ossec-server ossec-alert Jan 23 04:28:36 ossec-server ossec-alert ** Alert 1421987231.483412908: mail Which seems to suggest that alerts are reported to /var/log/messages and are being picked up recursively. Where can I check why OSSEC-ALERT message started to go to /var/log/messages ? Is there a way for me to check the alerts / queues and possible clean out older alerts to have a fresh start. I somehow think it may be a build up of these messages in a queue which is causing this. I already cleaned out /var/log/messages and restarted OSSEC, but the problem came back after some time. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
