Page 1 of 1

active-responses log filling up drive

Posted: Wed Jul 03, 2019 9:07 pm
by dpcllc
Hi, for some reason my OSSEC has started creating state logs every min and filling up my drive space

/var/ossec/queue/diff/local/val/ossec/logs/active-responses.log is the log file

how can I check to see why this is happening so I can stop it?

Thanks

Re: active-responses log filling up drive

Posted: Fri Jul 05, 2019 2:59 pm
by mikeshinn
It looks like youre included either /var or /var/ossec in your FIM settings, and configured them further to report the content of changes in those directories (record diffs). Just log into the AEO GUI, and Click on the "ASL" tab, select "File Integrity", then select "Watch Rules" and youll see a listing of all your directories and their settings for the FIM module. Scroll down to the parent directory "/var" or even a child if that was added (like "/var/ossec") and change the "Report" setting to "no", then click the Save button, and you're all set.