OSSEC agents spooling
43 views
Skip to first unread message
Buser85
Nov 13, 2019, 2:05:05 PM11/13/19
to ossec-list
Can somebody give some feedback in relation to the below please ;
In the event an OSSEC core server was to go offline for an extended period of time will the agents keep storing syscheck alerts locally until the core comes back online?
If the agents do spool alert logs locally the risk is disk space on agents filling up. Any settings to prevent this?
Lastly, the local agent log OSSEC.log. Anyway to limit the size!
Thanks a lot.
In the event an OSSEC core server was to go offline for an extended period of time will the agents keep storing syscheck alerts locally until the core comes back online?
If the agents do spool alert logs locally the risk is disk space on agents filling up. Any settings to prevent this?
Lastly, the local agent log OSSEC.log. Anyway to limit the size!
Thanks a lot.
José Manuel López del Río
Sep 21, 2020, 9:53:26 AM9/21/20
to ossec-list
Hello Buser85,
When the OSSEC agent goes offline, it will stop performing checks and collecting events locally. Therefore, no events are going to be generated regarding FIM, and no further disk space should be consumed. The logs stored at the ossec.log should only be reporting the inability to connect to the server too. Also, the ossec.log files are compressed and rotated daily under /var/ossec/logs/ossec in Linux and C:\Program Files (x86)\ossec-agent\logs in Windows.
If the agent comes back online, then it should perform the syscheck scans back again, and report all file changes comparing the last checksum of the files stored in the database before it went offline with the most recent ones, being able to report which files were modified while the agent was offline.
I hope this helps.
Reply all
Reply to author
Forward
0 new messages