A few days ago I noticed that the disk of my Ubuntu server was almost full. I dug a bit and found out that the disk space was used by OSSEC, in the /var/ossec/queue/diff folder.
I wanted to try something immediate so I deleted the contents of this folder. Everything was working normally and the disk space usage back to a "normal" amount.
But the OSSEC queue folder is growing again.
Is there a setting to prevent the OSSEC queue from using all the disk space?
As far as I know, OSSEC itself doesn't delete logs. Look at the documentation
Where are OSSEC’s logs stored?¶
On OSSEC server and local installs there are several classes of OSSEC logs. There are the logs created by the OSSEC daemons, the log messages from the agents, and the alerts. Agent installs do not have logs from other agents or alerts, but do have logs created by the OSSEC processes.
All logs are stored in subdirectories of /var/ossec/logs. OSSEC’s log messages are stored in /var/ossec/logs/ossec.log.
Log messages from the agents are not stored by default. After analysis they are deleted unless the option is included in the manager’s ossec.conf. If set all log messages sent to the manager are stored in /var/ossec/logs/archives/archives.log and rotated daily.
Alerts are stored in /var/ossec/logs/alerts/alerts.log, and rotated daily.
You can use logrotate to rotate the ossec logs, but the /var/ossec/queue/diff folder is another story.
You can safely delete the files in there and maintain OSSEC functionality, but you will lose the difference reports.
It seems if you add report_changes to your directories like i did it c an cause this: /home/wordpress/sites/
Report Changes OSSEC supports sending diffs when changes are made to text files on Linux and unix systems.
Configuring syscheck to show diffs is simple, add report_changes="yes" to the
/etc /bin,/sbin Note Report Changes can only work with text files, and the changes are stored on the agent inside /var/ossec/queue/diff/local/dir/file. If OSSEC has not been compiled with libmagic support, report_changes will copy any file designated, e.g. mp3, iso, executable, /chroot/dev/urandom (which would fill your hard drive). So unless libmagic is used, be very carefull on which directory you enable report_changes.
Very old post, but as I find myself in same situation again, I will document my solution here this time. May help someone or at least my future self.
First to answer OP, the main and only way to control the diff generation with OSSEC itself is the report_changes parameter on <directories> element in your ossec.conf file. For example:
<directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin,/boot</directories>
The report_changes param is what tells ossec to create a diff for each file in that directory. That diff is created each time a file is changed. So you can imagine why the diff dir gets huge over time.
Unfortunately there is no other way to control that with ossec itself. It's up to you to cleanup the diff folder yourself or just disable reporting on folders that get too big.
I chose the first option: cleanup the diff folder myself. For that I created a simple bash script that I run with daily cron. It goes something like this:
DIFFPATH=/var/ossec/queue/diff/local
KEEP_DAYS=365
# find all files which name starts with 'state' or 'diff', not modified in last 365 days
for $file in $(find $DIFFPATH -type f -name '[state|diff]*' -mtime +$KEEP_DAYS)
do
rm $file
done
Note that this does not delete directories, nor the last-entry file. Only the files diff.1583679666 and state.1583679666 files are deleted. So you will still keep the latest version, even if its very old.
Logrotate is the answer (as mentioned by Lenniey), but this'll only work once in a while. Why not use the long forgotten lore of disk quota to prevent logs from eating all free space?
