Tripwire was generating big report files in one of our boxes, almost 12MB, compared to 60KB for the others.
I found the problem is that there were many changes applied to this server, and files copied/moved,
so the tripwire DB holding the changes grew up a lot.
The only command to run and update the tripwire DB is:
tripwire --update -Z low
This command will compare your database against your current file system and then launch an editor so that you can choose to make changes to your database.
If you try this command but get an error message about a missing report file, the reason is most likely that the last check was not run immediately prior to the update. The report file in the /var/lib/tripwire/report directory is named by hostname, then date (yyyymmdd) then time. If you have recently run a check and want the update to proceed using your most recent report file, then use the -r option and provide the report filename that you want the update to use.
tripwire --update -Z low --twrfile host-yyyymmdd-tttttt.twr
If it asks for a password, you'll have to set it up first, unless you already know the password:
tripwire --local-passphrase mypassword
Then, run the sync again, now you know the password.