So if you saved log file start to fill up your partition - can you remove the old one's manually or does OSSEC needs them. I assume if you need to look back - you can use these files - how can this be done
Curious Steve LuShing On Wed, Sep 7, 2016 at 4:02 AM, Pedro Sanchez <[email protected]> wrote: > You are welcome. > > Yes, syscheck controls/scans are executed every 22 hours by default, > meaning that syscheck binary will scan each file looking for modifications > (checksum, groups, users, size), it will send back the update files DB and > OSSEC Manager will compare previous version with the new scan (new syscheck > as you name it :D), if there are modifications, in most cases, it will > trigger and alert. > > Anyway, syscheck processes are not replacing or rotating alerts.log file, > ossec-monitord daemon is the one on charge of rotating alerts.log daily. > > Btw, remember that OSSEC keeps old logs stored at > */var/ossec/logs/alerts/2016/Sep* > > >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> *root@ubuntu:/var/ossec/logs/alerts/2016/Sep# ls -lahtotal 152Kdrwxr-x--- >> 2 ossec ossec 4,0K sep 7 00:29 .drwxr-x--- 4 ossec ossec 4,0K sep 1 11:35 >> ..-rw-r----- 1 ossec ossec 2,0K sep 2 02:29 >> ossec-alerts-01.json.gz-rw-r----- 1 ossec ossec 338 sep 2 02:29 >> ossec-alerts-01.json.sum-rw-r----- 1 ossec ossec 1,9K sep 2 02:29 >> ossec-alerts-01.log.gz-rw-r----- 1 ossec ossec 334 sep 2 02:29 >> ossec-alerts-01.log.sum-rw-r----- 1 ossec ossec 72K sep 6 02:21 >> ossec-alerts-02.json.gz-rw-r----- 1 ossec ossec 338 sep 6 02:21 >> ossec-alerts-02.json.sum-rw-r----- 1 ossec ossec 2,1K sep 6 02:21 >> ossec-alerts-02.log.gz-rw-r----- 1 ossec ossec 334 sep 6 02:21 >> ossec-alerts-02.log.sum-rw-r----- 1 ossec ossec 16K sep 6 08:07 >> ossec-alerts-06.json-rw-r----- 1 ossec ossec 17K sep 6 08:07 >> ossec-alerts-06.log-rw-r----- 2 ossec ossec 1,1K sep 7 00:30 >> ossec-alerts-07.json-rw-r----- 2 ossec ossec 730 sep 7 00:30 >> ossec-alerts-07.log* > > > Best regards, > > Pedro S. > > > On Tue, Sep 6, 2016 at 12:57 PM, Daiyue Weng <[email protected]> wrote: > >> okay, I see. thanks for the explanation. >> >> syscheck is done every 22 hours by default, so that is what I mean by >> "new syscheck". >> >> cheers >> >> On 6 September 2016 at 10:22, Pedro Sanchez <[email protected]> wrote: >> >>> Hi Daiyue, >>> >>> I don't really understand what you mean for "new syscheck" is replacing >>> previous logs, please could you explain this in detail? >>> >>> Regarding to the rotation of alerts.log, we can't configure the log >>> size, it is rotating daily no matter how much weights, it will rotate every >>> day. If you open etc/internal_options.conf you will be able to >>> enabled/disabled compression, but nothing related to log size. >>> >>> Best regards, >>> >>> Pedro S. >>> >>> On Tue, Sep 6, 2016 at 10:11 AM, Daiyue Weng <[email protected]> >>> wrote: >>> >>>> Hi, I found that alerts.log is rotating that previous logs were >>>> replaced by new syschecks, so any way to configure ossec to record previous >>>> logs, like increasing log size? >>>> >>>> cheers >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "ossec-list" group. >>> To unsubscribe from this topic, visit https://groups.google.com/d/to >>> pic/ossec-list/RkBWz1U-wwg/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
