Very big syscheck queue - how to deal with it?
169 views
Skip to first unread message
horst knete
Dec 8, 2014, 7:17:15 AM12/8/14
to ossec...@googlegroups.com
Hey guys,
we are having an OSSEC server installation on debian with about 210 Windows and Linux Ossec-Clients in our network.
Regarding to syscheck we have literally have the default settings of ossec that includes a big part of the windows registry and windows directory as well as most linux directories and this check is executed every 10 hours.
Now looking at our /var/ossec/queue/syscheck queue directory at the server, this folder has an size of 5.4 GB and contains 2 "files" for almost every ossec-client.
I really wonder why this folder grows that big, cause it should only be the queue if our server isnt able to perform the checks at the given time due to lacking cpu/ram/network ressources.
Because none of these lacks are given i´d like to know how i can decrease the size of this queue.
Thx for response
dan (ddp)
Dec 8, 2014, 8:03:57 AM12/8/14
to ossec...@googlegroups.com
On Mon, Dec 8, 2014 at 7:17 AM, horst knete <badun...@hotmail.de> wrote:
> Hey guys,
>
> we are having an OSSEC server installation on debian with about 210 Windows
> and Linux Ossec-Clients in our network.
>
> Regarding to syscheck we have literally have the default settings of ossec
> that includes a big part of the windows registry and windows directory as
> well as most linux directories and this check is executed every 10 hours.
>
> Now looking at our /var/ossec/queue/syscheck queue directory at the server,
> this folder has an size of 5.4 GB and contains 2 "files" for almost every
> ossec-client.
>
Those are actually files.
> Hey guys,
>
> we are having an OSSEC server installation on debian with about 210 Windows
> and Linux Ossec-Clients in our network.
>
> Regarding to syscheck we have literally have the default settings of ossec
> that includes a big part of the windows registry and windows directory as
> well as most linux directories and this check is executed every 10 hours.
>
> Now looking at our /var/ossec/queue/syscheck queue directory at the server,
> this folder has an size of 5.4 GB and contains 2 "files" for almost every
> ossec-client.
>
> I really wonder why this folder grows that big, cause it should only be the
> queue if our server isnt able to perform the checks at the given time due to
> lacking cpu/ram/network ressources.
>
represent. Those are the syscheck database files. If you need them
shrunk, you'll have to clear the databases. I don't know what the rest
of that means though (the cpu/ram/network stuff).
> Because none of these lacks are given i´d like to know how i can decrease
> the size of this queue.
>
> Thx for response
>
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ossec-list+...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Bee esS
Apr 20, 2017, 1:18:08 PM4/20/17
to ossec-list
> If you need them shrunk, you'll have to clear the databases.
How?
On Monday, 8 December 2014 08:03:57 UTC-5, dan (ddpbsd) wrote:
On Mon, Dec 8, 2014 at 7:17 AM, horst knete <badun...@hotmail.de> wrote:
>
> Now looking at our /var/ossec/queue/syscheck queue directory at the server,
> this folder has an size of 5.4 GB and contains 2 "files" for almost every
> ossec-client.
dan (ddp)
Apr 20, 2017, 1:29:07 PM4/20/17
to ossec...@googlegroups.com
On Thu, Apr 20, 2017 at 1:02 PM, Bee esS <bs2...@gmail.com> wrote:
>> If you need them shrunk, you'll have to clear the databases.
>
> How?
>
When resurrecting 2+ year old threads, it might be best to offer more context.
>> If you need them shrunk, you'll have to clear the databases.
>
> How?
>
To clear a syscheck db:
1. stop the ossec processes on the server
2. /var/ossec/bin/syscheck_control -u AGENT_ID
3. Start the ossec processes on the server
B. S.
Apr 20, 2017, 2:07:31 PM4/20/17
to ossec...@googlegroups.com
> To clear a syscheck db:
> 1. stop the ossec processes on the server
> 2. /var/ossec/bin/syscheck_control -u AGENT_ID
> 3. Start the ossec processes on the server
Thank you - "To clear a syscheck db" gave me the context needed to
> 1. stop the ossec processes on the server
> 2. /var/ossec/bin/syscheck_control -u AGENT_ID
> 3. Start the ossec processes on the server
better understand syscheck_control --help.
So:
> 2. /var/ossec/bin/syscheck_control -u AGENT_ID
Could also have been '/var/ossec/bin/syscheck_control -u all'.
Granted, you could not know I'm on a local install with no remote agents.
However, sadly, /var/ossec/queue is still quite large. Per the OP.
In particular, in my case, /var/ossec/queue/diff
What is the appropriate way to squish this dir down?
(Corresponding question would then be, specifying a 'checkpoint'? Is
that even possible - to, say, say maintain your original, or, say, as of
1 month ago, so that diffs between then and now are kept?)
I see references to just deleting files in diff. Is that safe? i.e.
Won't befuddle ossec? (I get I'll lose the change history.)
dan (ddp)
Apr 20, 2017, 2:33:38 PM4/20/17
to ossec...@googlegroups.com
On Thu, Apr 20, 2017 at 2:07 PM, B. S. <bs2...@gmail.com> wrote:
>> To clear a syscheck db:
>> 1. stop the ossec processes on the server
>> 2. /var/ossec/bin/syscheck_control -u AGENT_ID
>> 3. Start the ossec processes on the server
>
> Thank you - "To clear a syscheck db" gave me the context needed to better
> understand syscheck_control --help.
>
> So:
>> 2. /var/ossec/bin/syscheck_control -u AGENT_ID
>
> Could also have been '/var/ossec/bin/syscheck_control -u all'.
>
> Granted, you could not know I'm on a local install with no remote agents.
>
> However, sadly, /var/ossec/queue is still quite large. Per the OP.
>
> In particular, in my case, /var/ossec/queue/diff
>
And there is the context that could have made this much easier.
>> To clear a syscheck db:
>> 1. stop the ossec processes on the server
>> 2. /var/ossec/bin/syscheck_control -u AGENT_ID
>> 3. Start the ossec processes on the server
>
> Thank you - "To clear a syscheck db" gave me the context needed to better
> understand syscheck_control --help.
>
> So:
>> 2. /var/ossec/bin/syscheck_control -u AGENT_ID
>
> Could also have been '/var/ossec/bin/syscheck_control -u all'.
>
> Granted, you could not know I'm on a local install with no remote agents.
>
> However, sadly, /var/ossec/queue is still quite large. Per the OP.
>
> In particular, in my case, /var/ossec/queue/diff
>
> What is the appropriate way to squish this dir down?
> (Corresponding question would then be, specifying a 'checkpoint'? Is that
> even possible - to, say, say maintain your original, or, say, as of 1 month
> ago, so that diffs between then and now are kept?)
>
> I see references to just deleting files in diff. Is that safe? i.e. Won't
> befuddle ossec? (I get I'll lose the change history.)
>
option, so haven't tested this all myself.
Reply all
Reply to author
Forward
0 new messages