I checked the alert log and it is truncated in there as well. I do see the changed listed though inside the diff file as shown below. The permit host line is what I am looking for that isn't showing up in the alert log and or the email notification. As you can see it is just the one extra line that gets chopped off. I can understand possibly the details not making it into the email message but I would expect it to be fully logged in the log file...
----------------Diff File Information------------------- 17c17 < Current configuration : 16328 bytes --- > Current configuration : 16360 bytes 19c19 < ! Last configuration change at 09:53:33 EST Tue May 12 2015 by netadmin --- > ! Last configuration change at 12:07:34 EST Tue May 12 2015 by netadmin 248a249 > permit host aaaa.aaaa.aaaa any ---------Alert Log Information----------------------- Rule: 555 (level 7) -> 'Integrity checksum for agentless device changed.' ossec: agentless: Change detected: 17c17 < Current configuration : 16328 bytes --- > Current configuration : 16360 bytes 19c19 < ! Last configuration change at 09:53:33 EST Tue May 12 2015 by netadmin --- > ! Last configuration change at 12:07:34 EST Tue May 12 2015 by netadmin More changes.. _____________________________ -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of dan (ddp) Sent: Tuesday, May 12, 2015 1:40 PM To: [email protected] Subject: Re: [ossec-list] Agentless network diff not showing correct info On Tue, May 12, 2015 at 1:28 PM, Adam Whelan <[email protected]> wrote: > Interesting, I changed an ACL which has maybe 75-100 existing entries but > only added a single entry. I would expect it to show me that single addition > unless it is trying to show me the difference of the entire ACL. So besides a > notice something has changed I won't be able to tell what has actually > changed which makes this a bit pointless unless I dump the config a number of > times a day so I have files to diff via another program? > Inside the OSSEC binaries there are buffers that hold the data. These buffers are only so big (I don't know how big off hand), and it's possible your data is being truncated because of these buffer sizes. You can check the alerts.log file to see if the missing data is present in the actual alert. If so, it's the buffers in ossec-maild that are too small. > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of dan (ddp) > Sent: Tuesday, May 12, 2015 1:22 PM > To: [email protected] > Subject: Re: [ossec-list] Agentless network diff not showing correct > info > > On Tue, May 12, 2015 at 1:18 PM, Adam Whelan <[email protected]> > wrote: >> >> Hi, >> >> I have the agentless working with my cisco switches. It appears to >> notice that a change was made to an access control list but does not display >> the change via the alert email or the alert log. Below is what I receive. I >> would expect to see the new ACL entry that was added? Any thoughts? >> >> >> >> OSSEC HIDS Notification. >> >> 2015 May 12 13:13:31 >> >> >> >> Received From: (ssh_pixconfig_diff) user@sw-01->agentless >> >> Rule: 555 fired (level 7) -> "Integrity checksum for agentless device >> changed." >> >> Portion of the log(s): >> >> >> >> ossec: agentless: Change detected: >> >> 17c17 >> >> < Current configuration : 20059 bytes >> >> --- >> >> > Current configuration : 20091 bytes >> >> 19c19 >> >> < ! Last configuration change at 13:39:31 EDT Mon May 11 2015 by user >> >> --- >> >> > ! Last configuration change at 13:12:37 EDT Tue May 12 2015 by user >> >> More changes.. >> >> >> > > There's a limited amount of space for the configuration diff, apparently not > enough for whatever change was made on your system. > >> Thank You >> >> >> >> >> >> >> >> --END OF NOTIFICATION >> >> >> >> >> >> _____________________________ >> >> Adam Whelan >> >> Senior Systems Analyst >> >> http://www.blueprintmedicines.com >> >> O: 617-714-6761 >> >> M: 508-364-2118 >> >> Skype: Adam.Whelan4 >> >> >> >> This email message may contain confidential and privileged information. If >> you have received this message in error, please contact the sender by >> replying to this email message and destroy all copies of the original >> message. >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > This email message may contain confidential and privileged information. If > you have received this message in error, please contact the sender by > replying to this email message and destroy all copies of the original message. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout. This email message may contain confidential and privileged information. If you have received this message in error, please contact the sender by replying to this email message and destroy all copies of the original message. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
