On Fri, Jan 23, 2015 at 2:10 AM, Alexander Hartner <[email protected]> wrote: > For several days now we are having problem where /var/log/messages grows > until the disk is full. It is being filled with messages from ossec-alerts. >
Do you have ossec-csyslogd enabled? It looks like you do, and the alerts it sends out are making it back to /var/log/messages. > 83158585: mail - syslog,errors, > Jan 23 04:47:09 ossec-server ossec-alert ** Alert 1421988260.1938814950: > mail - syslog,errors, > Jan 23 04:47:09 ossec-server ossec-alert 2015 Jan 23 04:44:20 > ossec-server->/var/log/messages > Jan 23 04:47:09 ossec-server ossec-alert Rule: 1002 (level 2) -> 'Unknown > problem somewhere in the system.' > Jan 23 04:47:09 ossec-server ossec-alert Jan 23 04:33:46 ossec-server > ossec-alert ** Alert 1421987604.967276741: mail - syslog,errors, > > Jan 23 04:47:09 ossec-server ossec-alert ** Alert 1421988260.1938815225: > mail - syslog,errors, > Jan 23 04:47:09 ossec-server ossec-alert 2015 Jan 23 04:44:20 > ossec-server->/var/log/messages > Jan 23 04:47:09 ossec-server ossec-alert Rule: 1002 (level 2) -> 'Unknown > problem somewhere in the system.' > Jan 23 04:47:09 ossec-server ossec-alert Jan 23 04:33:46 ossec-server > ossec-alert Jan 23 04:28:36 ossec-server ossec-alert Jan 23 04:25:48 > ossec-server ossec-alert Jan 23 04:23:13 ossec-server ossec-alert Jan 23 > 04:22:16 ossec-server ossec-alert Jan 23 04:21:57 ossec-server ossec-alert > ** Alert 1421986880.30248404: mail - syslog,errors, > > This logs is growing by several GBs per hour. > > Digging a little deeper we found: >> grep -ri 1421987231.483412908 * > 2015/Jan/ossec-alerts-23.log:Jan 23 04:28:36 ossec-server ossec-alert ** > Alert 1421987231.483412908: mail - syslog,errors, > 2015/Jan/ossec-alerts-23.log:Jan 23 04:33:46 ossec-server ossec-alert Jan 23 > 04:28:36 ossec-server ossec-alert ** Alert 1421987231.483412908: mail > > Which seems to suggest that alerts are reported to /var/log/messages and are > being picked up recursively. > > Where can I check why OSSEC-ALERT message started to go to /var/log/messages > ? > > Is there a way for me to check the alerts / queues and possible clean out > older alerts to have a fresh start. I somehow think it may be a build up of > these messages in a queue which is causing this. I already cleaned out > /var/log/messages and restarted OSSEC, but the problem came back after some > time. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
