Re: [ossec-list] Re: Deleting the OSSEC agent 'queue' directory

2017-04-20 Thread Patrick Tobin 
Answers inline below.

On 4/20/17, 2:17 PM, "ossec-list@googlegroups.com on behalf of B. S." 
 wrote:

Kewl! Thank you!

 > Here is my solution if you are using active response and allow remote 
commands.

Ah, but reading it, you also answer local installs! Thank you!

So, just deleting files in /var/ossec/queue/diff/local/ won't befuddle 
ossec? – I had the same concern but have not ran into any major issues with 
deleting this directory. I have run into a couple of minor issues where a file 
changes but you do not receive the diff in the alerts log. I believe this is 
because once you delete the ‘diff/local’ directory, the agent does not have the 
previous version of the file to perform the diff.

What are the consequences / impact? Loss of change history, presumably. – 
As long as all of the events/logs are being forwarded to the OSSEC server you 
should not have any issues. This directory only keeps the diffs and the current 
state of the files that are being monitored with the ‘report_changes’ option. 
Once a change has been found the diff is forwarded to the OSSEC console.

er, more precisely, loss of change history between versions at a point 
in time, I guess. 


On 04/20/2017 01:41 PM, Patrick Tobin wrote:
> Here is my solution if you are using active response and allow remote 
commands.
>
> AR Script (/var/ossec/active-response/bin/fix-var.sh)
>
> #!/bin/bash
> ARCommand='rm -rf /var/ossec/queue/diff/local/'
> RDate=`date`
> LOG=/var/ossec/logs/ar.log
> date >> ${LOG}
> $ARCommand >> ${LOG}
>
> AR Rule (/var/ossec/rules/local_rules.xml)
>
>
>  530
>  ossec: output: 'df /var':
>  DiskFull
>  /var is getting full. Clearing logs
>  low_diskspace,
>
>
> Command (/var/ossec/etc/shared/agent.conf)
>
>
>  command
>  Disk=`df /var | tail -1 | awk '{print $2}'`;vSize=`du 
/var/ossec/queue/diff/local | awk '{print $1}' | tail -1`;dStatus=`df -h /var | 
tail -1`;dStatus=`df -h /var | tail -1`;if [[ ${percent} -gt "75" ]]; then echo 
-n "DiskFull ${dStatus}";fi
>  360
>  df /var
>
>
> Note: You can change the percentage at which this is activated to fit 
your environment. (if [[ ${percent} -gt "75" ]]) Change the ‘75’ to the 
percentage you would like it to activate.
>
>
>
> From:  on behalf of Bee esS 

> Reply-To: "ossec-list@googlegroups.com" 
> Date: Thursday, April 20, 2017 at 1:03 PM
> To: ossec-list 
> Subject: [ossec-list] Re: Deleting the OSSEC agent 'queue' directory
>
> Bump.
>
> On Wednesday, 19 August 2015 10:51:26 UTC-4, Jamey B wrote:
> I'm making a CRON job to remove anything in the queue folder, would this 
be a good CRON job if I wanted the directory cleared if the items are over 5 
days old and I want it ran once a day at 10PM? The last time I took my OSSEC 
server down, the agent disk space started getting too big in 
/var/ossec/queue/diff/local after a few weeks. Would any other directories do 
the same thing, or is this the only directory that gets queue data?
>
> 0 22 * * * /usr/bin/find /var/ossec/queue/diff/local/* -mtime +5 -exec rm 
{} \;
>
>
>   I don't want the OSSEC agent to take up a lot of disk space, what else 
could I do?
> --
>
> ---
> You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
email to 
ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an 
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Very big syscheck queue - how to deal with it?

2017-04-20 Thread dan (ddp) 
On Thu, Apr 20, 2017 at 2:07 PM, B. S.  wrote:
>> To clear a syscheck db:
>> 1. stop the ossec processes on the server
>> 2. /var/ossec/bin/syscheck_control -u AGENT_ID
>> 3. Start the ossec processes on the server
>
> Thank you - "To clear a syscheck db" gave me the context needed to better
> understand syscheck_control --help.
>
> So:
>> 2. /var/ossec/bin/syscheck_control -u AGENT_ID
>
> Could also have been '/var/ossec/bin/syscheck_control -u all'.
>
> Granted, you could not know I'm on a local install with no remote agents.
>
> However, sadly, /var/ossec/queue is still quite large. Per the OP.
>
> In particular, in my case, /var/ossec/queue/diff
>

And there is the context that could have made this much easier.

> What is the appropriate way to squish this dir down?
> (Corresponding question would then be, specifying a 'checkpoint'? Is that
> even possible - to, say, say maintain your original, or, say, as of 1 month
> ago, so that diffs between then and now are kept?)
>
> I see references to just deleting files in diff. Is that safe? i.e. Won't
> befuddle ossec? (I get I'll lose the change history.)
>

You should be able to delete the files. I don't generally use the diff
option, so haven't tested this all myself.

>
>
> On 04/20/2017 01:29 PM, dan (ddp) wrote:
>>
>> On Thu, Apr 20, 2017 at 1:02 PM, Bee esS  wrote:

 If you need them shrunk, you'll have to clear the databases.
>>>
>>>
>>> How?
>>>
>>
>> When resurrecting 2+ year old threads, it might be best to offer more
>> context.
>> To clear a syscheck db:
>> 1. stop the ossec processes on the server
>> 2. /var/ossec/bin/syscheck_control -u AGENT_ID
>> 3. Start the ossec processes on the server
>>
>>
>>> On Monday, 8 December 2014 08:03:57 UTC-5, dan (ddpbsd) wrote:


 On Mon, Dec 8, 2014 at 7:17 AM, horst knete  wrote:
>
>
> Now looking at our /var/ossec/queue/syscheck queue directory at the
> server,
> this folder has an size of 5.4 GB and contains 2 "files" for almost
> every
> ossec-client.


 Those files grow because there are changes on the systems they
 represent. Those are the syscheck database files. If you need them
 shrunk, you'll have to clear the databases. I don't know what the rest
 of that means though (the cpu/ram/network stuff).

> Because none of these lacks are given i´d like to know how i can
> decrease
> the size of this queue.


>>> --
>>>
>>> ---
>>> You received this message because you are subscribed to the Google Groups
>>> "ossec-list" group.
>>> To unsubscribe from this group and stop receiving emails from it, send an
>>> email to ossec-list+unsubscr...@googlegroups.com.
>>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>
> --
>
> --- You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Override eventlog with eventchannel via Centralized agent config

2017-04-20 Thread Brett Simpson 
I wasn't sure how to do this or if it's possible but I have a large number 
of ossec agents where I want to filter out specific Windows Event ID agent 
side. If I modify the ossec.conf on the agent and replace the log_format of 
my System from eventlog  to eventchannel it works however if I leave it to 
eventlog and alter the centralized agent config to include that for Windows 
OS it doesn't work. I do see it get replicated to the agent under the 
shared folder but it looks like eventlog is taking priority. Touching each 
agent is not feasible as I just don't have that kind of control, at least I 
would have to somehow repackage an ossec install and wrap a new config into 
it, then have my IT people reinstall it on hundreds of Windows systems. 
Although I'm testing filtering event ID 7000 on a workstation I have many 
Windows servers with the windows packet filtering bombarding the event 
logs. This ends up saturating my network links from the agent to the 
manager which I want to eliminate.

In ossec.conf
  
System
eventlog
  

In Shared folder as agent.conf


  
System
eventchannel
Event/System[EventID!=7000]
  



-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Very big syscheck queue - how to deal with it?

2017-04-20 Thread B. S. 

> To clear a syscheck db:
> 1. stop the ossec processes on the server
> 2. /var/ossec/bin/syscheck_control -u AGENT_ID
> 3. Start the ossec processes on the server

Thank you - "To clear a syscheck db" gave me the context needed to 
better understand syscheck_control --help.


So:
> 2. /var/ossec/bin/syscheck_control -u AGENT_ID

Could also have been '/var/ossec/bin/syscheck_control -u all'.

Granted, you could not know I'm on a local install with no remote agents.

However, sadly, /var/ossec/queue is still quite large. Per the OP.

In particular, in my case, /var/ossec/queue/diff

What is the appropriate way to squish this dir down?
(Corresponding question would then be, specifying a 'checkpoint'? Is 
that even possible - to, say, say maintain your original, or, say, as of 
1 month ago, so that diffs between then and now are kept?)


I see references to just deleting files in diff. Is that safe? i.e. 
Won't befuddle ossec? (I get I'll lose the change history.)



On 04/20/2017 01:29 PM, dan (ddp) wrote:

On Thu, Apr 20, 2017 at 1:02 PM, Bee esS  wrote:

If you need them shrunk, you'll have to clear the databases.


How?



When resurrecting 2+ year old threads, it might be best to offer more context.
To clear a syscheck db:
1. stop the ossec processes on the server
2. /var/ossec/bin/syscheck_control -u AGENT_ID
3. Start the ossec processes on the server



On Monday, 8 December 2014 08:03:57 UTC-5, dan (ddpbsd) wrote:


On Mon, Dec 8, 2014 at 7:17 AM, horst knete  wrote:


Now looking at our /var/ossec/queue/syscheck queue directory at the
server,
this folder has an size of 5.4 GB and contains 2 "files" for almost
every
ossec-client.


Those files grow because there are changes on the systems they
represent. Those are the syscheck database files. If you need them
shrunk, you'll have to clear the databases. I don't know what the rest
of that means though (the cpu/ram/network stuff).


Because none of these lacks are given i´d like to know how i can
decrease
the size of this queue.



--

---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.




--

--- 
You received this message because you are subscribed to the Google Groups "ossec-list" group.

To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ossec-list] Re: Deleting the OSSEC agent 'queue' directory

2017-04-20 Thread Bee esS 
Bump.

On Wednesday, 19 August 2015 10:51:26 UTC-4, Jamey B wrote:
>
> I'm making a CRON job to remove anything in the queue folder, would this 
> be a good CRON job if I wanted the directory cleared if the items are over 
> 5 days old and I want it ran once a day at 10PM? The last time I took my 
> OSSEC server down, the agent disk space started getting too big in 
> /var/ossec/queue/diff/local after a few weeks. Would any other directories 
> do the same thing, or is this the only directory that gets queue data?
>
> 0 22 * * * /usr/bin/find /var/ossec/queue/diff/local/* -mtime +5 -exec rm 
> {} \;
>
>
>  I don't want the OSSEC agent to take up a lot of disk space, what else 
> could I do?
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Very big syscheck queue - how to deal with it?

2017-04-20 Thread Bee esS 
> If you need them shrunk, you'll have to clear the databases.

How?

On Monday, 8 December 2014 08:03:57 UTC-5, dan (ddpbsd) wrote:
>
> On Mon, Dec 8, 2014 at 7:17 AM, horst knete  > wrote: 
> > 
> > Now looking at our /var/ossec/queue/syscheck queue directory at the 
> server, 
> > this folder has an size of 5.4 GB and contains 2 "files" for almost 
> every 
> > ossec-client. 
>
> Those files grow because there are changes on the systems they 
> represent. Those are the syscheck database files. If you need them 
> shrunk, you'll have to clear the databases. I don't know what the rest 
> of that means though (the cpu/ram/network stuff). 
>
> > Because none of these lacks are given i´d like to know how i can 
> decrease 
> > the size of this queue. 
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Very big syscheck queue - how to deal with it?

2017-04-20 Thread dan (ddp) 
On Thu, Apr 20, 2017 at 1:02 PM, Bee esS  wrote:
>> If you need them shrunk, you'll have to clear the databases.
>
> How?
>

When resurrecting 2+ year old threads, it might be best to offer more context.
To clear a syscheck db:
1. stop the ossec processes on the server
2. /var/ossec/bin/syscheck_control -u AGENT_ID
3. Start the ossec processes on the server


> On Monday, 8 December 2014 08:03:57 UTC-5, dan (ddpbsd) wrote:
>>
>> On Mon, Dec 8, 2014 at 7:17 AM, horst knete  wrote:
>> >
>> > Now looking at our /var/ossec/queue/syscheck queue directory at the
>> > server,
>> > this folder has an size of 5.4 GB and contains 2 "files" for almost
>> > every
>> > ossec-client.
>>
>> Those files grow because there are changes on the systems they
>> represent. Those are the syscheck database files. If you need them
>> shrunk, you'll have to clear the databases. I don't know what the rest
>> of that means though (the cpu/ram/network stuff).
>>
>> > Because none of these lacks are given i´d like to know how i can
>> > decrease
>> > the size of this queue.
>>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [ossec-list] Re: Deleting the OSSEC agent 'queue' directory

2017-04-20 Thread Patrick Tobin 
Here is my solution if you are using active response and allow remote commands.

AR Script (/var/ossec/active-response/bin/fix-var.sh)

#!/bin/bash
ARCommand='rm -rf /var/ossec/queue/diff/local/'
RDate=`date`
LOG=/var/ossec/logs/ar.log
date >> ${LOG}
$ARCommand >> ${LOG}

AR Rule (/var/ossec/rules/local_rules.xml)

  
530
ossec: output: 'df /var':
DiskFull
/var is getting full. Clearing logs
low_diskspace,
  

Command (/var/ossec/etc/shared/agent.conf)

  
command
Disk=`df /var | tail -1 | awk '{print $2}'`;vSize=`du 
/var/ossec/queue/diff/local | awk '{print $1}' | tail -1`;dStatus=`df -h /var | 
tail -1`;dStatus=`df -h /var | tail -1`;if [[ ${percent} -gt "75" ]]; then echo 
-n "DiskFull ${dStatus}";fi
360
df /var
  

Note: You can change the percentage at which this is activated to fit your 
environment. (if [[ ${percent} -gt "75" ]]) Change the ‘75’ to the percentage 
you would like it to activate.



From:  on behalf of Bee esS 
Reply-To: "ossec-list@googlegroups.com" 
Date: Thursday, April 20, 2017 at 1:03 PM
To: ossec-list 
Subject: [ossec-list] Re: Deleting the OSSEC agent 'queue' directory

Bump.

On Wednesday, 19 August 2015 10:51:26 UTC-4, Jamey B wrote:
I'm making a CRON job to remove anything in the queue folder, would this be a 
good CRON job if I wanted the directory cleared if the items are over 5 days 
old and I want it ran once a day at 10PM? The last time I took my OSSEC server 
down, the agent disk space started getting too big in 
/var/ossec/queue/diff/local after a few weeks. Would any other directories do 
the same thing, or is this the only directory that gets queue data?

0 22 * * * /usr/bin/find /var/ossec/queue/diff/local/* -mtime +5 -exec rm {} \;


 I don't want the OSSEC agent to take up a lot of disk space, what else could I 
do?
--

---
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to 
ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.