This is 2.5.1 We thought about just upgrading to 2.6 but we need the full_command functionality in the agent.conf
I'm not sure what is different about the install.sh compilation of ossec-logcollector, but I know that when I compile from source it doesn't work. I basically did this: 1) in src, run "make all" (also tried just "make libs") 2) in src/logcollector, run "make" 3) cp src/logcollector/ossec-logcollector /var/ossec/bin 4) restart OSSEC 5) OSSEC.log loads only what's in ossec.conf On Sat, Aug 6, 2011 at 9:50 AM, dan (ddp) <[email protected]> wrote: > Which version of OSSEC? > > On Sat, Aug 6, 2011 at 12:14 PM, jplee3 <[email protected]> wrote: > > Nevermind my last comment about ossec.conf not being read properly. I > > must have not saved it after editing...doh. > > > > It seems to work fine. But agent.conf doesn't seem to be processed in > > still. > > > > On Aug 5, 4:54 pm, jplee3 <[email protected]> wrote: > >> Hi all, > >> > >> So we ran into an issue with "Large message size" warnings filling up > >> the ossec.log file and causing the file to grow out of control and use > >> up disk space. I went ahead and commented out the lines in > >> read_syslog.c and read_multiline.c to prevent this from happening in > >> the future, but then noticed after starting OSSEC back up, that the > >> full commands weren't running. > >> > >> I made sure to backup the original ossec-logcollector, and when I > >> restored it and restarted OSSEC, the full commands showed up as > >> running in the ossec.log > >> > >> At first I thought it was the changes I made with commenting out the > >> "Large message size" lines, so I deleted the dir, untarred to a fresh > >> folder, and compiled straight away. Copied the ossec-logcollector > >> over, restarted OSSEC, and no go with full command. > >> > >> Is there something I'm missing when compiling in src/logcollector? I > >> noticed that read_fullcommand.c does exist in this directory. >
