Interesting topic. For archives.log and alerts.log OSSEC uses symbolic links, an ossec-monitord takes care of rotating those, so we don't need to restart ossec processes or use "copytruncate". How about using ossec-monitord to rotate ossec.log and active-response.log as well? Wouldn't that make more sense than using logrotate? (specially considering that OSSEC is designed to run in a chroot environment, not to interact much with the host)

Yes, single mechanism for rotating all logs would be nice. Current documentation recommends logrotate for ossec.log: http://ossec.github.io/docs/faq/ossec.html#how-can-i-get-ossec-log-to-rotate-daily

Btw, how can I change settings for log rotation by ossec-monitord? I've found only options that change compressing/signing: http://ossec.github.io/docs/syntax/head_internal_options.analysisd.html#internal-options-conf-monitord

If those are not in internal_options.conf I would assume those options are hardcoded.

If everyone agrees rotation for ossec.log and active-response.log should be implemented to be done by ossec-monitord, I'll add it to my todo and try to do this once I have some spare time.