> To clear a syscheck db:
> 1. stop the ossec processes on the server
> 2. /var/ossec/bin/syscheck_control -u AGENT_ID
> 3. Start the ossec processes on the server
Thank you - "To clear a syscheck db" gave me the context needed to
better understand syscheck_control --help.
So:
> 2. /var/ossec/bin/syscheck_control -u AGENT_ID
Could also have been '/var/ossec/bin/syscheck_control -u all'.
Granted, you could not know I'm on a local install with no remote agents.
However, sadly, /var/ossec/queue is still quite large. Per the OP.
In particular, in my case, /var/ossec/queue/diff
What is the appropriate way to squish this dir down?
(Corresponding question would then be, specifying a 'checkpoint'? Is
that even possible - to, say, say maintain your original, or, say, as of
1 month ago, so that diffs between then and now are kept?)
I see references to just deleting files in diff. Is that safe? i.e.
Won't befuddle ossec? (I get I'll lose the change history.)