Hello, since I've updated my ossec-server to Version 2.7 the Database-Logging has two problems which i think i fixed in my local version. The first problem is that the last two signs of each message are cut of, which is fixed simply by editing two lines in src/os_dbd/alert.c the len+2 counting is done for creating the templog but not when actually coppying the message?! original line 194: snprintf(templog, len, "%s\n", al_data->log[i]); my line 194: snprintf(templog, len+2, "%s\n", al_data->log[i]); original line 197: snprintf(templog, len, "%s", al_data->log[i]); my line 197: snprintf(templog, len+2, "%s", al_data->log[i]);
The second problem was a touch more difficult. In the new Version are new variables defined for al_data like old_md5 and new_md5 when any of those finding matches the rest of the message (espacially the multiline ones) gets cut of. so I edited src/shared/read-alert.c original line 465: else if(log_size < 20) my line 465: if(log_size < 20) to avoid that the alertheader is shown in the message itself as well i added at line 481 the if-clause used to find the rule_begin line 479: issyscheck=0; line 480:} line 481: if(strncmp(RULE_BEGIN, str, RULE_BEGIN_SZ) == 0) line 482:{} line 483: else line 484: { line 485 (482 in orig): os_realloc(log, (log_size+2)*sizeof(char *), log); line 486 (483 in orig): os_strdup(str, log[log_size]); line 487 (484 in orig): log_size++; line 488 (485 in orig): log[log_size] = NULL; line 489: } In my understanding, this change leaves the original rule message untouched, but cuts of the message head. Could you include these fixes in the original 2.7 or later Version of OSSEC ? Do you need anything else from me? Best regards, Robert Gruber -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.