When I get email alerts for mine, I only get back 20 lines back. Seems to be hard coded.
As an example, monitoring listened ports: ossec: output: 'netstat -anp tcp | find "LISTEN" | find /V "127.0.0.1"': TCP 0.0.0.0:80 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:443 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:513 0.0.0.0:0 LISTENING TCP 0.0.0.0:2201 0.0.0.0:0 LISTENING TCP 0.0.0.0:2481 0.0.0.0:0 LISTENING TCP 0.0.0.0:3588 0.0.0.0:0 LISTENING TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING TCP 0.0.0.0:5657 0.0.0.0:0 LISTENING TCP 0.0.0.0:8779 0.0.0.0:0 LISTENING TCP 0.0.0.0:9871 0.0.0.0:0 LISTENING TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING TCP 0.0.0.0:49163 0.0.0.0:0 Previous output: --END OF NOTIFICATION On Dec 16, 11:30 am, "dan (ddp)" <ddp...@gmail.com> wrote: > How many lines do you get back exactly? > > > > > > > > On Tue, Dec 13, 2011 at 9:05 PM, alsdks <als...@gmail.com> wrote: > > Hello, > > > I have set up a command to monitor file permissions in Windows (Since > > by default Ossec only supports POSIX ). The command for example is : > > > <localfile> > > <log_format>full_command</log_format> > > <command>icacls c:\WINDOWS\system32\*.exe</command> > > <alias>icacls</alias> > > </localfile> > > > Now the question: is there a limitation how many lines can OSSEC take > > and process as the output of a command ?Because I seem to be getting > > only up to letter c of the executables located in that dir. > > > Thank you !