Thought I would let you know I have resolved this, I believe the problem stemmed from my alerts.log getting way too large and the Log Rotation could not handle the size of the file.
So I filtered a bunch of windows event alerts to get the logs to a manageable level and the rotation is doing it's job again. The OSSEC Log Rotation routine must have some limitations on file size. Thanks for all your help. Robert -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Wednesday, September 16, 2015 12:36 PM To: [email protected] Subject: Re: FW: [ossec-list] Re: Log Rotation issues On Wed, Sep 16, 2015 at 12:18 PM, Farnsworth, Robert <[email protected]> wrote: > No it did not. > I made the change and restarted OSSEC I don’t remember us talking about a > recompiling. > Sorry if I forgot to mention it, I meant to. When you change the sourcecode you'll have to recompile and install the new binaries. Then restart the processes. Running the install.sh script should accomplish this (it will "upgrade" over itself). > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of dan (ddp) > Sent: Wednesday, September 16, 2015 12:17 PM > To: [email protected] > Subject: Re: FW: [ossec-list] Re: Log Rotation issues > > On Wed, Sep 16, 2015 at 8:50 AM, Farnsworth, Robert > <[email protected]> wrote: >> The only error I see from analysisd is the read error's. One of them is the >> Ossec Manager. >> >> Here is a sample. >> >> 2015/09/16 08:34:09 ossec-analysisd: ERROR: read error on >> /queue/diff/hostname/533/last-entry >> 2015/09/16 08:34:09 ossec-analysisd: ERROR: read error on >> /queue/diff/ hostname/535/last-entry >> 2015/09/16 08:37:56 ossec-analysisd: ERROR: read error on >> /queue/diff/ hostname/535/last-entry >> 2015/09/16 08:40:11 ossec-analysisd: ERROR: read error on >> /queue/diff/ hostname/533/last-entry >> 2015/09/16 08:40:11 ossec-analysisd: ERROR: read error on >> /queue/diff/ hostname/535/last-entry >> > > That was after making the change, recompiling, and restarting OSSEC? > Did the logfile rotate properly? > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
