A few days ago I noticed that the disk of my Ubuntu server was almost full. I dug a bit and found out that the disk space was used by OSSEC, in the /var/ossec/queue/diff
folder.
I wanted to try something immediate so I deleted the contents of this folder. Everything was working normally and the disk space usage back to a "normal" amount.
But the OSSEC queue folder is growing again.
Is there a setting to prevent the OSSEC queue from using all the disk space?
Best Answer
As far as I know, OSSEC itself doesn't delete logs. Look at the documentation
You can use logrotate to rotate the ossec logs, but the
/var/ossec/queue/diff
folder is another story.You can safely delete the files in there and maintain OSSEC functionality, but you will lose the difference reports.