1609133877c438ef127b954e276fdbbf3be3e43a
By:
Sinklar

Using OSSEC - huge size of /var/ossec/queue/diff

May 6, 2015 7.8k views
Security System Tools Ubuntu

Hi,

I'm using OSSEC on my Ubuntu server. I saw that the disk was almost full. I searched for the biggest folders and I found out that the folder /var/ossec/queue/diff was really huge and filling all the disk.

Is it normal? Is there a setting on OSSEC to prevent this from happening?

11 comments
  • Are you monitoring the OSSEC directory? That is, did you include /var/ossec or any of its sub-directories in the list of monitored directories in ossec.conf?

  • No, and I even added /var/ossec to be ignored with <ignore>/var/ossec</ignore>... I don't see what else to do.

  • That folder alone is now using almost 75% of my disk space, which is almost full. Do you have another idea, @finid? :(

  • A default installation of OSSEC should not be using up disk space at the rate you're indicating. So it's not normal. Something has been misconfigured.

    If you provide some detail as to what you did after installation, it would be easier to help. Ignoring the OSSEC directory in ossec.conf should help, but you should not need to do that unless you're monitoring OSSEC's directory.

  • Thanks for your help @finid. Actually, I didn't do anything special, I installed it like in your tutorial for Ubuntu 14.04.

    These are the directories monitored for changes :

    <directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories>
    <directories report_changes="yes" realtime="yes" restrict=".php|.js|.py|.sh|.html" check_all="yes">/home,/var/www,/srv</directories>
    

    I also added a few directories to ignore (like WordPress cache, etc.). But that's all I think, except that I installed Webmin afterwards, because it was the last step I had planed for my server config.

  • I don't see anything in the monitored directories that should cause excessive disk usage, but why are you monitoring /srv? What purpose does that serve and what's in that directory in your installation?

    My only suggestion now is this: remove /srv from monitored directories, then restart OSSEC and see if that made any difference

  • Well, /srv is where the websites are located so I thought it would be a good idea to monitor it. But I'll try your suggestion right now. Thanks.

  • Hi @finid,

    I took another look at the directory /var/ossec/queue/diff. It looks like it contains a copy of my whole server, or something that looks like that. I guess it's normal to have files duplicated here for the diff to work, but I don't understand why my server seems to be fully duplicated here... Let me know if you have any other idea. :) Here is my full ossec.conf if it can help.

    <ossec_config>
      <global>
        <email_notification>yes</email_notification>
        <email_to>my@email.com</email_to>
        <smtp_server>localhost</smtp_server>
        <email_from>server@email.com</email_from>
      </global>
    
      <rules>
        <include>rules_config.xml</include>
        <include>pam_rules.xml</include>
        <include>sshd_rules.xml</include>
        <include>telnetd_rules.xml</include>
        <include>syslog_rules.xml</include>
        <include>arpwatch_rules.xml</include>
        <include>symantec-av_rules.xml</include>
        <include>symantec-ws_rules.xml</include>
        <include>pix_rules.xml</include>
        <include>named_rules.xml</include>
        <include>smbd_rules.xml</include>
        <include>vsftpd_rules.xml</include>
        <include>pure-ftpd_rules.xml</include>
        <include>proftpd_rules.xml</include>
        <include>ms_ftpd_rules.xml</include>
        <include>ftpd_rules.xml</include>
        <include>hordeimp_rules.xml</include>
        <include>roundcube_rules.xml</include>
        <include>wordpress_rules.xml</include>
        <include>cimserver_rules.xml</include>
        <include>vpopmail_rules.xml</include>
        <include>vmpop3d_rules.xml</include>
        <include>courier_rules.xml</include>
        <include>web_rules.xml</include>
        <include>web_appsec_rules.xml</include>
        <include>apache_rules.xml</include>
        <include>nginx_rules.xml</include>
        <include>php_rules.xml</include>
        <include>mysql_rules.xml</include>
        <include>postgresql_rules.xml</include>
        <include>ids_rules.xml</include>
        <include>squid_rules.xml</include>
        <include>firewall_rules.xml</include>
        <include>cisco-ios_rules.xml</include>
        <include>netscreenfw_rules.xml</include>
        <include>sonicwall_rules.xml</include>
        <include>postfix_rules.xml</include>
        <include>sendmail_rules.xml</include>
        <include>imapd_rules.xml</include>
        <include>mailscanner_rules.xml</include>
        <include>dovecot_rules.xml</include>
        <include>ms-exchange_rules.xml</include>
        <include>racoon_rules.xml</include>
        <include>vpn_concentrator_rules.xml</include>
        <include>spamd_rules.xml</include>
        <include>msauth_rules.xml</include>
        <include>mcafee_av_rules.xml</include>
        <include>trend-osce_rules.xml</include>
        <include>ms-se_rules.xml</include>
        <!-- <include>policy_rules.xml</include> -->
        <include>zeus_rules.xml</include>
        <include>solaris_bsm_rules.xml</include>
        <include>vmware_rules.xml</include>
        <include>ms_dhcp_rules.xml</include>
        <include>asterisk_rules.xml</include>
        <include>ossec_rules.xml</include>
        <include>attack_rules.xml</include>
        <include>openbsd_rules.xml</include>
        <include>clam_av_rules.xml</include>
        <include>dropbear_rules.xml</include>
        <include>local_rules.xml</include>
      </rules>  
    
      <syscheck>
        <!-- Frequency that syscheck is executed - default to every 22 hours -->
        <frequency>79200</frequency>
    
        <alert_new_files>yes</alert_new_files>    
        <!-- Directories to check  (perform all possible verifications) -->
        <directories report_changes="yes" realtime="yes" check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
        <directories report_changes="yes" realtime="yes" check_all="yes">/bin,/sbin</directories>
    
        <directories report_changes="yes" realtime="yes" restrict=".php|.js|.py|.sh|.html" check_all="yes">/home/my_user,/srv</directories>
    
        <!-- Files/directories to ignore -->
        <ignore>/etc/mtab</ignore>
        <ignore>/etc/mnttab</ignore>
        <ignore>/etc/hosts.deny</ignore>
        <ignore>/etc/mail/statistics</ignore>
        <ignore>/etc/random-seed</ignore>
        <ignore>/etc/adjtime</ignore>
        <ignore>/etc/httpd/logs</ignore>
        <ignore>/etc/utmpx</ignore>
        <ignore>/etc/wtmpx</ignore>
        <ignore>/etc/cups/certs</ignore>
        <ignore>/etc/dumpdates</ignore>
        <ignore>/etc/svc/volatile</ignore>
    
        <ignore>/var/ossec</ignore>
    
        <ignore>/srv/wordpress_website.com/wp-content/cache</ignore>
        <ignore>/etc/webmin/package-updates</ignore>
    
        <!-- Windows files to ignore -->
        <ignore>C:\WINDOWS/System32/LogFiles</ignore>
        <ignore>C:\WINDOWS/Debug</ignore>
        <ignore>C:\WINDOWS/WindowsUpdate.log</ignore>
        <ignore>C:\WINDOWS/iis6.log</ignore>
        <ignore>C:\WINDOWS/system32/wbem/Logs</ignore>
        <ignore>C:\WINDOWS/system32/wbem/Repository</ignore>
        <ignore>C:\WINDOWS/Prefetch</ignore>
        <ignore>C:\WINDOWS/PCHEALTH/HELPCTR/DataColl</ignore>
        <ignore>C:\WINDOWS/SoftwareDistribution</ignore>
        <ignore>C:\WINDOWS/Temp</ignore>
        <ignore>C:\WINDOWS/system32/config</ignore>
        <ignore>C:\WINDOWS/system32/spool</ignore>
        <ignore>C:\WINDOWS/system32/CatRoot</ignore>
      </syscheck>
    
      <rootcheck>
        <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
        <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
        <system_audit>/var/ossec/etc/shared/system_audit_rcl.txt</system_audit>
        <system_audit>/var/ossec/etc/shared/cis_debian_linux_rcl.txt</system_audit>
        <system_audit>/var/ossec/etc/shared/cis_rhel_linux_rcl.txt</system_audit>
        <system_audit>/var/ossec/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>
      </rootcheck>
    
      <global>
        <white_list>127.0.0.1</white_list>
        <white_list>^localhost.localdomain$</white_list>
        <white_list>8.8.8.8</white_list>
        <white_list>8.8.4.4</white_list>
      </global>
    
      <alerts>
        <log_alert_level>2</log_alert_level>
        <email_alert_level>7</email_alert_level>
      </alerts>
    
      <command>
        <name>host-deny</name>
        <executable>host-deny.sh</executable>
        <expect>srcip</expect>
        <timeout_allowed>yes</timeout_allowed>
      </command>  
    
      <command>
        <name>firewall-drop</name>
        <executable>firewall-drop.sh</executable>
        <expect>srcip</expect>
        <timeout_allowed>yes</timeout_allowed>
      </command>  
    
      <command>
        <name>disable-account</name>
        <executable>disable-account.sh</executable>
        <expect>user</expect>
        <timeout_allowed>yes</timeout_allowed>
      </command>  
    
      <command>
        <name>restart-ossec</name>
        <executable>restart-ossec.sh</executable>
        <expect></expect>
      </command>
    
    
      <command>
        <name>route-null</name>
        <executable>route-null.sh</executable>
        <expect>srcip</expect>
        <timeout_allowed>yes</timeout_allowed>
      </command>
    
    
      <!-- Active Response Config -->
      <active-response>
        <!-- This response is going to execute the host-deny
           - command for every event that fires a rule with
           - level (severity) >= 6.
           - The IP is going to be blocked for  600 seconds.
          -->
        <command>host-deny</command>
        <location>local</location>
        <level>6</level>
        <timeout>600</timeout>
      </active-response>
    
      <active-response>
        <!-- Firewall Drop response. Block the IP for
           - 600 seconds on the firewall (iptables,
           - ipfilter, etc).
          -->
        <command>firewall-drop</command>
        <location>local</location>
        <level>6</level>
        <timeout>600</timeout>    
      </active-response>  
    
      <!-- Files to monitor (localfiles) -->
    
      <localfile>
        <log_format>syslog</log_format>
        <location>/var/log/messages</location>
      </localfile>
    
      <localfile>
        <log_format>syslog</log_format>
        <location>/var/log/auth.log</location>
      </localfile>
    
      <localfile>
        <log_format>syslog</log_format>
        <location>/var/log/syslog</location>
      </localfile>
    
      <localfile>
        <log_format>syslog</log_format>
        <location>/var/log/dpkg.log</location>
      </localfile>
    
      <localfile>
        <log_format>command</log_format>
        <command>df -h</command>
      </localfile>
    
      <localfile>
        <log_format>full_command</log_format>
        <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort</command>
      </localfile>
    
      <localfile>
        <log_format>full_command</log_format>
        <command>last -n 5</command>
      </localfile>
    </ossec_config>
    
    
  • There's no point in posting the entire content of ossec.conf.

    What happened when you removed /srv/ from monitored directories and restarted?

    Note that you can still monitor /srv, but ignore the access and error log files.

  • Sorry about that, I thought it could be helpful.

    I did what you suggested yesterday but it doesn't change anything, as far as I can tell.

2 Answers

I think I found the issue. As I mentioned in a comment above, I installed Webmin after OSSEC. It looks like the cause of OSSEC using such a big amount of disk space is the Webmin system status (which is updated all the time).

I added the corresponding folder to the ignore list of OSSEC and it seems it solved the issue.

<ignore>/etc/webmin/system-status</ignore>

--

Thanks @finid for the many answers.

Have another answer? Share your knowledge.