Using OSSEC - huge size of /var/ossec/queue/diff

May 6, 2015 10.5k views
Security System Tools Ubuntu
1609133877c438ef127b954e276fdbbf3be3e43a
By:
Sinklar

Hi,

I'm using OSSEC on my Ubuntu server. I saw that the disk was almost full. I searched for the biggest folders and I found out that the folder /var/ossec/queue/diff was really huge and filling all the disk.

Is it normal? Is there a setting on OSSEC to prevent this from happening?

11 comments
  • Sinklar May 10, 2015

    @finid Any idea?

  • finid May 11, 2015

    Are you monitoring the OSSEC directory? That is, did you include /var/ossec or any of its sub-directories in the list of monitored directories in ossec.conf?

  • Sinklar May 11, 2015

    No, and I even added /var/ossec to be ignored with <ignore>/var/ossec</ignore>... I don't see what else to do.

  • Sinklar May 14, 2015

    That folder alone is now using almost 75% of my disk space, which is almost full. Do you have another idea, @finid? :(

  • finid May 15, 2015

    A default installation of OSSEC should not be using up disk space at the rate you're indicating. So it's not normal. Something has been misconfigured.

    If you provide some detail as to what you did after installation, it would be easier to help. Ignoring the OSSEC directory in ossec.conf should help, but you should not need to do that unless you're monitoring OSSEC's directory.

  • Sinklar May 15, 2015

    Thanks for your help @finid. Actually, I didn't do anything special, I installed it like in your tutorial for Ubuntu 14.04.

    These are the directories monitored for changes :

    <directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories>
<directories report_changes="yes" realtime="yes" restrict=".php|.js|.py|.sh|.html" check_all="yes">/home,/var/www,/srv</directories>

    I also added a few directories to ignore (like WordPress cache, etc.). But that's all I think, except that I installed Webmin afterwards, because it was the last step I had planed for my server config.

  • finid May 15, 2015

    I don't see anything in the monitored directories that should cause excessive disk usage, but why are you monitoring /srv? What purpose does that serve and what's in that directory in your installation?

    My only suggestion now is this: remove /srv from monitored directories, then restart OSSEC and see if that made any difference

  • Sinklar May 15, 2015

    Well, /srv is where the websites are located so I thought it would be a good idea to monitor it. But I'll try your suggestion right now. Thanks.

  • Sinklar May 18, 2015

    Hi @finid,

    I took another look at the directory /var/ossec/queue/diff. It looks like it contains a copy of my whole server, or something that looks like that. I guess it's normal to have files duplicated here for the diff to work, but I don't understand why my server seems to be fully duplicated here... Let me know if you have any other idea. :) Here is my full ossec.conf if it can help.

    <ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <email_to>my@email.com</email_to>
    <smtp_server>localhost</smtp_server>
    <email_from>server@email.com</email_from>
  </global>

  <rules>
    <include>rules_config.xml</include>
    <include>pam_rules.xml</include>
    <include>sshd_rules.xml</include>
    <include>telnetd_rules.xml</include>
    <include>syslog_rules.xml</include>
    <include>arpwatch_rules.xml</include>
    <include>symantec-av_rules.xml</include>
    <include>symantec-ws_rules.xml</include>
    <include>pix_rules.xml</include>
    <include>named_rules.xml</include>
    <include>smbd_rules.xml</include>
    <include>vsftpd_rules.xml</include>
    <include>pure-ftpd_rules.xml</include>
    <include>proftpd_rules.xml</include>
    <include>ms_ftpd_rules.xml</include>
    <include>ftpd_rules.xml</include>
    <include>hordeimp_rules.xml</include>
    <include>roundcube_rules.xml</include>
    <include>wordpress_rules.xml</include>
    <include>cimserver_rules.xml</include>
    <include>vpopmail_rules.xml</include>
    <include>vmpop3d_rules.xml</include>
    <include>courier_rules.xml</include>
    <include>web_rules.xml</include>
    <include>web_appsec_rules.xml</include>
    <include>apache_rules.xml</include>
    <include>nginx_rules.xml</include>
    <include>php_rules.xml</include>
    <include>mysql_rules.xml</include>
    <include>postgresql_rules.xml</include>
    <include>ids_rules.xml</include>
    <include>squid_rules.xml</include>
    <include>firewall_rules.xml</include>
    <include>cisco-ios_rules.xml</include>
    <include>netscreenfw_rules.xml</include>
    <include>sonicwall_rules.xml</include>
    <include>postfix_rules.xml</include>
    <include>sendmail_rules.xml</include>
    <include>imapd_rules.xml</include>
    <include>mailscanner_rules.xml</include>
    <include>dovecot_rules.xml</include>
    <include>ms-exchange_rules.xml</include>
    <include>racoon_rules.xml</include>
    <include>vpn_concentrator_rules.xml</include>
    <include>spamd_rules.xml</include>
    <include>msauth_rules.xml</include>
    <include>mcafee_av_rules.xml</include>
    <include>trend-osce_rules.xml</include>
    <include>ms-se_rules.xml</include>
    <!-- <include>policy_rules.xml</include> -->
    <include>zeus_rules.xml</include>
    <include>solaris_bsm_rules.xml</include>
    <include>vmware_rules.xml</include>
    <include>ms_dhcp_rules.xml</include>
    <include>asterisk_rules.xml</include>
    <include>ossec_rules.xml</include>
    <include>attack_rules.xml</include>
    <include>openbsd_rules.xml</include>
    <include>clam_av_rules.xml</include>
    <include>dropbear_rules.xml</include>
    <include>local_rules.xml</include>
  </rules>  

  <syscheck>
    <!-- Frequency that syscheck is executed - default to every 22 hours -->
    <frequency>79200</frequency>

    <alert_new_files>yes</alert_new_files>    
    <!-- Directories to check  (perform all possible verifications) -->
    <directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories>

    <directories report_changes="yes" realtime="yes" restrict=".php|.js|.py|.sh|.html" check_all="yes">/home/my_user,/srv</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/mnttab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>

    <ignore>/var/ossec</ignore>

    <ignore>/srv/wordpress_website.com/wp-content/cache</ignore>
    <ignore>/etc/webmin/package-updates</ignore>

    <!-- Windows files to ignore -->
    <ignore>C:\WINDOWS/System32/LogFiles</ignore>
    <ignore>C:\WINDOWS/Debug</ignore>
    <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
    <ignore>C:\WINDOWS/iis6.log</ignore>
    <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
    <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
    <ignore>C:\WINDOWS/Prefetch</ignore>
    <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
    <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
    <ignore>C:\WINDOWS/Temp</ignore>
    <ignore>C:\WINDOWS/system32/config</ignore>
    <ignore>C:\WINDOWS/system32/spool</ignore>
    <ignore>C:\WINDOWS/system32/CatRoot</ignore>
  </syscheck>

  <rootcheck>
    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
    <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
    <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
  </rootcheck>

  <global>
    <white_list>127.0.0.1</white_list>
    <white_list>^localhost.localdomain$</white_list>
    <white_list>8.8.8.8</white_list>
    <white_list>8.8.4.4</white_list>
  </global>

  <alerts>
    <log_alert_level>2</log_alert_level>
    <email_alert_level>7</email_alert_level>
  </alerts>

  <command>
    <name>host-deny</name>
    <executable>host-deny.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>  

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>  

  <command>
    <name>disable-account</name>
    <executable>disable-account.sh</executable>
    <expect>user</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>  

  <command>
    <name>restart-ossec</name>
    <executable>restart-ossec.sh</executable>
    <expect></expect>
  </command>


  <command>
    <name>route-null</name>
    <executable>route-null.sh</executable>
    <expect>srcip</expect>
    <timeout_allowed>yes</timeout_allowed>
  </command>


  <!-- Active Response Config -->
  <active-response>
    <!-- This response is going to execute the host-deny
       - command for every event that fires a rule with
       - level (severity) >= 6.
       - The IP is going to be blocked for  600 seconds.
      -->
    <command>host-deny</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>
  </active-response>

  <active-response>
    <!-- Firewall Drop response. Block the IP for
       - 600 seconds on the firewall (iptables,
       - ipfilter, etc).
      -->
    <command>firewall-drop</command>
    <location>local</location>
    <level>6</level>
    <timeout>600</timeout>    
  </active-response>  

  <!-- Files to monitor (localfiles) -->

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/messages</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/auth.log</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/syslog</location>
  </localfile>

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/dpkg.log</location>
  </localfile>

  <localfile>
    <log_format>command</log_format>
    <command>df -h</command>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
  </localfile>

  <localfile>
    <log_format>full_command</log_format>
    <command>last -n 5</command>
  </localfile>
</ossec_config>
  • finid May 19, 2015

    There's no point in posting the entire content of ossec.conf.

    What happened when you removed /srv/ from monitored directories and restarted?

    Note that you can still monitor /srv, but ignore the access and error log files.

  • Sinklar May 20, 2015

    Sorry about that, I thought it could be helpful.

    I did what you suggested yesterday but it doesn't change anything, as far as I can tell.

Log In to Comment
2 Answers
Sinklar May 26, 2015

I think I found the issue. As I mentioned in a comment above, I installed Webmin after OSSEC. It looks like the cause of OSSEC using such a big amount of disk space is the Webmin system status (which is updated all the time).

I added the corresponding folder to the ignore list of OSSEC and it seems it solved the issue.

<ignore>/etc/webmin/system-status</ignore>

--

Thanks @finid for the many answers.

Reply
finid June 1, 2015

Cool! Happy for you.

Reply
Have another answer? Share your knowledge.

Related Questions