Hello Buser85, When the OSSEC agent goes offline, it will stop performing checks and collecting events locally. Therefore, no events are going to be generated regarding FIM, and no further disk space should be consumed. The logs stored at the *ossec.log* should only be reporting the inability to connect to the server too. Also, the *ossec.log* files are compressed and rotated daily under /*var/ossec/logs/ossec* in Linux and *C:\Program Files (x86)\ossec-agent\logs* in Windows.
If the agent comes back online, then it should perform the *syscheck *scans back again, and report all file changes comparing the last checksum of the files stored in the database before it went offline with the most recent ones, being able to report which files were modified while the agent was offline. I hope this helps. On Wednesday, November 13, 2019 at 8:05:05 PM UTC+1 Buser85 wrote: > Can somebody give some feedback in relation to the below please ; > > In the event an OSSEC core server was to go offline for an extended period > of time will the agents keep storing syscheck alerts locally until the core > comes back online? > > If the agents do spool alert logs locally the risk is disk space on agents > filling up. Any settings to prevent this? > > Lastly, the local agent log OSSEC.log. Anyway to limit the size! > > Thanks a lot. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ossec-list/e4516c41-b10f-4959-8ce1-64924760ecc7n%40googlegroups.com.
