active-responses log filling up drive

Support/Development for OSSEC
dpcllc
Forum User
Forum User
Posts: 14
Joined: Fri Oct 24, 2014 6:05 pm
Location: Philadelphia

active-responses log filling up drive

Unread post by dpcllc »

Hi, for some reason my OSSEC has started creating state logs every min and filling up my drive space

/var/ossec/queue/diff/local/val/ossec/logs/active-responses.log is the log file

how can I check to see why this is happening so I can stop it?

Thanks
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4122
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: active-responses log filling up drive

Unread post by mikeshinn »

It looks like youre included either /var or /var/ossec in your FIM settings, and configured them further to report the content of changes in those directories (record diffs). Just log into the AEO GUI, and Click on the "ASL" tab, select "File Integrity", then select "Watch Rules" and youll see a listing of all your directories and their settings for the FIM module. Scroll down to the parent directory "/var" or even a child if that was added (like "/var/ossec") and change the "Report" setting to "no", then click the Save button, and you're all set.
Post Reply