One of our backup solution's folders is being diff'ed by OSSEC and it is taking up a lot of space.
A) Should I edit ossec.conf and add <ignore>/path/to/folder/</ignore> or is there an ASL specific recommended way to do this?
B) Is it safe to delete the contents of this folder in /var/ossec/queue/diff/local/path/to/folder?
C) What is the default setting in ASL's conf of OSSEC for how many diffs are stored? How far back is the history kept?
thanks
How to set OSSEC to ignore certain folders
How to set OSSEC to ignore certain folders
CentOS 6.9
ASL 4.0.19-37
ASL 4.0.19-37
Re: How to set OSSEC to ignore certain folders
In the GUI, under the ASL tab, check out File Integrity. That's where you would normally add extra directories to ignore.
I would assume that as soon as you have added it to the ignore list, it would be safe to delete, but....
I'm not sure how long the diffs go back. They certainly take a huge amount of space in some cases.
So we'll wait for official word on these two question.
I would assume that as soon as you have added it to the ignore list, it would be safe to delete, but....
I'm not sure how long the diffs go back. They certainly take a huge amount of space in some cases.
So we'll wait for official word on these two question.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: How to set OSSEC to ignore certain folders
official word was:
A) Ignores are configured in ASL Web->File Integrity->Ignore Rules
B) You can, but it can increase disk IO when it scans again it will add back the most recent copies. C is a better way to do it
C) Retention is configured from ASL Web->Settings->ASL Configuration->Host Intrusion Detection System->Number of Days to retain File Diff data
The default is to retain revisions for 60 days.
CentOS 6.9
ASL 4.0.19-37
ASL 4.0.19-37
Re: How to set OSSEC to ignore certain folders
Brilliant. thanks.
I don't quite understand the answer to B though.
If the directory is ignored, why would it be scanned again?
Even if it was scanned again, I'm curious to know what exactly would be put back other than the most recent (single) diff (or diffs if there are a lot of files), which I'd have thought would result in the same or at least similar I/O as would normally happen? I guess it depends on the files and how much changes?
I don't quite understand the answer to B though.
If the directory is ignored, why would it be scanned again?
Even if it was scanned again, I'm curious to know what exactly would be put back other than the most recent (single) diff (or diffs if there are a lot of files), which I'd have thought would result in the same or at least similar I/O as would normally happen? I guess it depends on the files and how much changes?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: How to set OSSEC to ignore certain folders
I think he was asking if he deleted the a whole diff tree that wasnt ignored. The next cycle (<frequency>XXXX) it would make copies of the files again.
Re: How to set OSSEC to ignore certain folders
In my case it wouldn't. the diff scan and the backup run roughly at the same time, and i am changing that. but the temporary files created by the backup solution were getting picked up by the diff process. since they are deleted once the backup completed, the next time the diff runs it wont have any files to watch over in that folder.scott wrote:I think he was asking if he deleted the a whole diff tree that wasnt ignored. The next cycle (<frequency>XXXX) it would make copies of the files again.
CentOS 6.9
ASL 4.0.19-37
ASL 4.0.19-37
Re: How to set OSSEC to ignore certain folders
Ah, yes, I understand.
Thanks to both of you.
Thanks to both of you.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>