Wazuh master node queue/db directory growing indefinitely due to syscheck FIM entries
Emar Flix
Environment: Wazuh (multi-node cluster) — manager/master node
The queue/db directory on my master node keeps growing indefinitely and eventually overloads the disk. After investigation, I identified the root cause: syscheck FIM (File Integrity Monitoring) entries.
When I disable syscheck entirely, disk usage returns to normal. However, disabling it is not a viable solution since I need FIM logs for compliance and security monitoring purposes.
Root cause hypothesis:
My understanding is that Wazuh stores the latest state of each monitored file in the FIM database, but does not remove or rotate old/stale entries — for example, entries for files that no longer exist, or historical state records that accumulate over time. This causes the queue/db directory to grow without bound.
Questions:
Is there a built-in retention or cleanup mechanism for FIM database entries in Wazuh?
Is there a recommended way to purge stale/deleted file entries from the syscheck database without disabling the module?
Are there any ossec.conf settings to limit the size or retention period of FIM data stored in queue/db?
Has anyone else encountered this and found a workaround?
Any help is appreciated. Happy to share configuration details or logs if needed.
Bony V John
Bony V John
Hi,
I understand your issue. The /var/ossec/queue/db/ directory is used by FIM, Syscollector, and SCA on the Wazuh manager to store agent data. You mentioned that syscheck is disabled. Was it disabled on the agent side as well?
As you’ve seen, the size of this directory grows based on the number of agents, the number of monitored files, and data collected by Syscollector. If syscheck is causing high disk usage, it’s worth reviewing the configuration on the agent. Monitoring large directories or paths with many subfolders can quickly increase the number of tracked files. It’s better to limit monitoring to only what’s necessary and use the <ignore> option to skip files or directories that don’t add value.
The same applies to registry monitoring. Keep only what’s needed and exclude the rest to keep storage usage under control.
You can also set file and registry limits on the Wazuh agent to control the number of files and registries monitored by FIM. For that, you can refer to the Wazuh documentation.
At the moment, there isn’t a built-in way to set a size limit for this database or selectively clean it up. The practical approach is tuning what gets collected at the agent level.
Also, keep in mind that this directory can still contain data from old or disconnected agents. Those don’t get cleaned up automatically. If you have agents that are no longer in use, remove them from the manager. That will also clear their data from this directory and free up space.
You can remove an old agent using:
Replace <agent-id> with the agent you want to remove.