RE: [ossec-list] OSSEC Log Rotation Failing

[Farnsworth, Robert]

Thanks Dan, I’ll try that, although it has not been an issue for the last 8  
months.



From: ossec-list@googlegroups.com [mailto:ossec-list@googlegroups.com] On 
Behalf Of dan (ddp)
Sent: Wednesday, July 22, 2015 11:50 AM
To: ossec-list@googlegroups.com
Subject: RE: [ossec-list] OSSEC Log Rotation Failing


On Jul 22, 2015 7:50 AM, "Farnsworth, Robert" 
<robert.farnswo...@hp.com<mailto:robert.farnswo...@hp.com>> wrote:
>
> Yes, ossec-monitord is running ossec    31115     1  0 Jul21 ?        
> 00:01:17 /var/ossec/bin/ossec-monitord
>
>

I think monitord runs as ossecm. Maybe try changing the owner of the ossec.log 
file to ossecm?

>
>
>
> I do not believe the FS is out of inodes.
>
>
>
> Filesystem            Inodes  IUsed   IFree IUse% Mounted on
>
> /dev/mapper/vg00-rootvol
>
>                       524288 108242  416046   21% /
>
> tmpfs                2041271      1 2041270    1% /dev/shm
>
> /dev/sda1              32768     52   32716    1% /boot
>
> /dev/mapper/vg00-homevol
>
>                      1048576   2477 1046099    1% /home
>
> /dev/mapper/vg00-tmpvol
>
>                       131072     22  131050    1% /tmp
>
> /dev/mapper/vg00-varvol
>
>                       327680   4296  323384    2% /var
>
> /dev/mapper/vg00-crashvol
>
>                        81920     11   81909    1% /var/crash
>
> /dev/mapper/vg00-auditvol
>
>                        65536     21   65515    1% /var/log/audit
>
> /dev/mapper/vg01-optvol
>
>                       655360   3557  651803    1% /opt
>
>
>
>
>
>
>
> From: ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com> 
> [mailto:ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com>] On 
> Behalf Of dan (ddp)
> Sent: Wednesday, July 22, 2015 7:42 AM
> To: ossec-list@googlegroups.com<mailto:ossec-list@googlegroups.com>
> Subject: Re: [ossec-list] OSSEC Log Rotation Failing
>
>
>
>
> On Jul 22, 2015 7:38 AM, "Farnsworth, Robert" 
> <robert.farnswo...@hp.com<mailto:robert.farnswo...@hp.com>> wrote:
> >
> > My log rotation has all of a sudden started to fail on two of my managers, 
> > this is causing my file system to fill up every night.
> >
>
> Is the fs out of inodes? Is ossec-monitord running?
>
> >
> >
> > Any suggestions to correcting this problem.
> >
> >
> >
> > -rw-r-----. 1 ossec ossec    9959839 Jul 14 04:01 ossec-alerts-13.log.gz
> >
> > -rw-r-----. 1 ossec ossec        398 Jul 14 04:01 ossec-alerts-13.log.sum
> >
> > -rw-r-----. 1 ossec ossec          0 Jul 15 04:02 ossec-alerts-14.log.gz
> >
> > -rw-r-----. 1 ossec ossec          0 Jul 15 04:02 ossec-alerts-14.log.sum
> >
> > -rw-r-----. 1 ossec ossec          0 Jul 16 04:01 ossec-alerts-15.log.gz
> >
> > -rw-r-----. 1 ossec ossec          0 Jul 16 04:01 ossec-alerts-15.log.sum
> >
> > -rw-r-----. 1 ossec ossec          0 Jul 17 04:02 ossec-alerts-16.log.gz
> >
> > -rw-r-----. 1 ossec ossec          0 Jul 17 04:02 ossec-alerts-16.log.sum
> >
> > -rw-r-----. 1 ossec ossec          0 Jul 18 04:02 ossec-alerts-17.log.gz
> >
> > -rw-r-----. 1 ossec ossec          0 Jul 18 04:01 ossec-alerts-17.log.sum
> >
> > -rw-r-----. 1 ossec ossec          0 Jul 19 04:01 ossec-alerts-18.log.gz
> >
> > -rw-r-----. 1 ossec ossec          0 Jul 19 04:01 ossec-alerts-18.log.sum
> >
> > -rw-r-----. 1 ossec ossec          0 Jul 20 04:03 ossec-alerts-19.log.gz
> >
> > -rw-r-----. 1 ossec ossec          0 Jul 20 04:02 ossec-alerts-19.log.sum
> >
> > -rw-r-----. 1 ossec ossec          0 Jul 21 04:07 ossec-alerts-20.log.gz
> >
> > -rw-r-----. 1 ossec ossec          0 Jul 21 04:02 ossec-alerts-20.log.sum
> >
> > -rw-r-----. 1 ossec ossec          0 Jul 22 04:04 ossec-alerts-21.log.gz
> >
> > -rw-r-----. 1 ossec ossec          0 Jul 22 04:01 ossec-alerts-21.log.sum
> >
> > -rw-r-----. 2 ossec ossec 3597332480 Jul 22 11:30 ossec-alerts-22.log
> >
> >
> >
> > Thanks
> >
> >
> >
> > Robert
> >
> >
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups 
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an 
> > email to 
> > ossec-list+unsubscr...@googlegroups.com<mailto:ossec-list%2bunsubscr...@googlegroups.com>.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to 
> ossec-list+unsubscr...@googlegroups.com<mailto:ossec-list%2bunsubscr...@googlegroups.com>.
>
> For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to 
> ossec-list+unsubscr...@googlegroups.com<mailto:ossec-list%2bunsubscr...@googlegroups.com>.
>
> For more options, visit https://groups.google.com/d/optout.
--

---
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
ossec-list+unsubscr...@googlegroups.com<mailto:ossec-list+unsubscr...@googlegroups.com>.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.