OSSEC is using a lot of drive space

OSSEC is using a lot of drive space

Discussion

OSSEC can report what changed in a file, and can keep a record of all the changes that have occured with that file. It will keep these "diffs" in this directory:

/var/ossec/queue/diff/local

This can be particularly helpful in determining if a change is authorized or not, and its also an excellent way to maintain a real time record of file or directory to allow for change and revision control as well as a real time back up of these files. For example, OSSEC can tell you that a particular configuration option was removed or changed in a file, and can report those literal changes (as opposed to just an md5sum as with basic file integrity checks). ASL will report what information has been altered and what the original and new information is (for example, with password files). This uses more resources, such as drive space to store all of this change information.

In other cases, with log files for example, this type of diffing can take up a lot of drive space and is not useful. ASL excludes common log files used in standard systems.

Solution

If your system is recording all of the changes on files or directories where you do not wish ASL to record "diffs", log into the ASL gui and check your file integrity configuration for the "Report" option. If a directory is configured to "report", OSSEC will report the details of the change to you (it will generate a "diff"), and will store a record of all changes that occur over time.

Step 1: Log into the ASL web console

Step 2: Click on the ASL tab

Step 3: Click the File Integrity option

Step 4: Click on "Watch Rules"

Select the directory you want to modify. To turn off reporting (or generating diffs), set the "Report" option for the directory to "no". Then click "save changes".

Note: This will not delete the old diffs. You will have to manually remove those diffs. Do not remove the /var/ossec/queue/diff/local/ directory. Only remove subdirectories within that directory.  You can also control how many days the system will keep these records with this setting:

https://wiki.atomicorp.com/wiki/index.php/ASL_Configuration#HIDS_CLEAN_DIFF

Reporting can use a significant amount of drive space on your system if you are "report"ing on files or directories that change often, such as logs, temporary or cache directories, or if you are using a product that is changing your operating system a lot (some control panels recompile thousands of software packages nightly, and if you are monitoring these pages ASL will correctly report and log these changes).

You can exclude a subdirectory if you still want to report on changes in a directory, such as /etc. To exclude a subdirectory just log into the ASL GUI, click on the ASL tab, click on File Integrity, then click Options, and scroll the bottom. From there click on the "--add rule--" drop down and select "ignore". This will then give you the option to type in the subdirectory you want to exclude. Type in that directory and then click "update".

Also, ASL will rotate the logs according to your logrotate policy. That policy file is:

/etc/logrotate.d/ossec-hids

You can change the parameters of this file to suit your needs. In general, the logs files themselves are very small. The primary file space usage will be coming from "report"ing events where "diffs" of changed files are stored.

You can also delete these diffs by running this command as root:

rm -rf /var/ossec/queue/diff/local/*