As far as I know, OSSEC itself doesn't delete logs. Look at the documentation

Where are OSSEC’s logs stored?¶

On OSSEC server and local installs there are several classes of OSSEC logs. There are the logs created by the OSSEC daemons, the log messages from the agents, and the alerts. Agent installs do not have logs from other agents or alerts, but do have logs created by the OSSEC processes.

All logs are stored in subdirectories of /var/ossec/logs. OSSEC’s log messages are stored in /var/ossec/logs/ossec.log.

Log messages from the agents are not stored by default. After analysis they are deleted unless the option is included in the manager’s ossec.conf. If set all log messages sent to the manager are stored in /var/ossec/logs/archives/archives.log and rotated daily.

Alerts are stored in /var/ossec/logs/alerts/alerts.log, and rotated daily.

You can use logrotate to rotate the ossec logs, but the /var/ossec/queue/diff folder is another story.

You can safely delete the files in there and maintain OSSEC functionality, but you will lose the difference reports.


It seems if you add report_changes to your directories like i did it c an cause this: /home/wordpress/sites/

Report Changes OSSEC supports sending diffs when changes are made to text files on Linux and unix systems.

Configuring syscheck to show diffs is simple, add report_changes="yes" to the

/etc /bin,/sbin Note Report Changes can only work with text files, and the changes are stored on the agent inside /var/ossec/queue/diff/local/dir/file. If OSSEC has not been compiled with libmagic support, report_changes will copy any file designated, e.g. mp3, iso, executable, /chroot/dev/urandom (which would fill your hard drive). So unless libmagic is used, be very carefull on which directory you enable report_changes.