Hello,
since I've updated my ossec-server to Version 2.7 the Database-Logging has
two problems which i think i fixed in my local version.
The first problem is that the last two signs of each message are cut of,
which is fixed simply by editing two lines in src/os_dbd/alert.c
the len+2 counting is done for creating the templog but not when actually
coppying the message?!
original line 194: snprintf(templog, len, "%s\n", al_data->log[i]);
my line 194: snprintf(templog, len+2, "%s\n", al_data->log[i]);
original line 197: snprintf(templog, len, "%s", al_data->log[i]);
my line 197: snprintf(templog, len+2, "%s", al_data->log[i]);
The second problem was a touch more difficult. In the new Version are new
variables defined for al_data like old_md5 and new_md5
when any of those finding matches the rest of the message (espacially the
multiline ones) gets cut of.
so I edited src/shared/read-alert.c
original line 465: else if(log_size < 20)
my line 465: if(log_size < 20)
to avoid that the alertheader is shown in the message itself as well i
added at line 481 the if-clause used to find the rule_begin
line 479: issyscheck=0;
line 480:}
line 481: if(strncmp(RULE_BEGIN, str, RULE_BEGIN_SZ) == 0)
line 482:{}
line 483: else
line 484: {
line 485 (482 in orig): os_realloc(log, (log_size+2)*sizeof(char *), log);
line 486 (483 in orig): os_strdup(str, log[log_size]);
line 487 (484 in orig): log_size++;
line 488 (485 in orig): log[log_size] = NULL;
line 489: }
In my understanding, this change leaves the original rule message
untouched, but cuts of the message head.
Could you include these fixes in the original 2.7 or later Version of OSSEC
?
Do you need anything else from me?
Best regards,
Robert Gruber
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
