Question
Using OSSEC - huge size of /var/ossec/queue/diff
Hi,
I’m using OSSEC on my Ubuntu server. I saw that the disk was almost full. I searched for the biggest folders and I found out that the folder /var/ossec/queue/diff was really huge and filling all the disk.
Is it normal? Is there a setting on OSSEC to prevent this from happening?
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
×
@finid Any idea?
Are you monitoring the OSSEC directory? That is, did you include /var/ossec or any of its sub-directories in the list of monitored directories in
ossec.conf?No, and I even added /var/ossec to be ignored with
<ignore>/var/ossec</ignore>… I don’t see what else to do.That folder alone is now using almost 75% of my disk space, which is almost full. Do you have another idea, @finid? :(
A default installation of OSSEC should not be using up disk space at the rate you’re indicating. So it’s not normal. Something has been misconfigured.
If you provide some detail as to what you did after installation, it would be easier to help. Ignoring the OSSEC directory in
ossec.confshould help, but you should not need to do that unless you’re monitoring OSSEC’s directory.Thanks for your help @finid. Actually, I didn’t do anything special, I installed it like in your tutorial for Ubuntu 14.04.
These are the directories monitored for changes :
I also added a few directories to ignore (like WordPress cache, etc.). But that’s all I think, except that I installed Webmin afterwards, because it was the last step I had planed for my server config.
I don’t see anything in the monitored directories that should cause excessive disk usage, but why are you monitoring
/srv? What purpose does that serve and what’s in that directory in your installation?My only suggestion now is this: remove
/srvfrom monitored directories, then restart OSSEC and see if that made any differenceWell,
/srvis where the websites are located so I thought it would be a good idea to monitor it. But I’ll try your suggestion right now. Thanks.Hi @finid,
I took another look at the directory
/var/ossec/queue/diff. It looks like it contains a copy of my whole server, or something that looks like that. I guess it’s normal to have files duplicated here for the diff to work, but I don’t understand why my server seems to be fully duplicated here… Let me know if you have any other idea. :) Here is my fullossec.confif it can help.There’s no point in posting the entire content of
ossec.conf.What happened when you removed
/srv/from monitored directories and restarted?Note that you can still monitor
/srv, but ignore the access and error log files.Sorry about that, I thought it could be helpful.
I did what you suggested yesterday but it doesn’t change anything, as far as I can tell.