Ubuntu – OSSEC disk space usage

disk-space-utilizationossecSecurityUbuntu

A few days ago I noticed that the disk of my Ubuntu server was almost full. I dug a bit and found out that the disk space was used by OSSEC, in the /var/ossec/queue/diff folder.

I wanted to try something immediate so I deleted the contents of this folder. Everything was working normally and the disk space usage back to a "normal" amount.

But the OSSEC queue folder is growing again.

Is there a setting to prevent the OSSEC queue from using all the disk space?

Best Answer

As far as I know, OSSEC itself doesn't delete logs. Look at the documentation

Where are OSSEC’s logs stored?¶

On OSSEC server and local installs there are several classes of OSSEC logs. There are the logs created by the OSSEC daemons, the log messages from the agents, and the alerts. Agent installs do not have logs from other agents or alerts, but do have logs created by the OSSEC processes.

All logs are stored in subdirectories of /var/ossec/logs. OSSEC’s log messages are stored in /var/ossec/logs/ossec.log.

Log messages from the agents are not stored by default. After analysis they are deleted unless the option is included in the manager’s ossec.conf. If set all log messages sent to the manager are stored in /var/ossec/logs/archives/archives.log and rotated daily.

Alerts are stored in /var/ossec/logs/alerts/alerts.log, and rotated daily.

You can use logrotate to rotate the ossec logs, but the /var/ossec/queue/diff folder is another story.

You can safely delete the files in there and maintain OSSEC functionality, but you will lose the difference reports.

Best Answer

Related Solutions

Why is AppData\Roaming folder consuming so much disc space on Vista x64

Out of Disk Space on Ubuntu – Identifying the Source

Related Topic