Santiago,thank you for idea! ;)
On 02.02.2016 20:30, Santiago Bassett wrote: > I think this is due to a limitation on the alert message size. I > guess, you will need to look in the code and recompile if you want > this to work. > > On Thu, Jan 28, 2016 at 3:12 PM, q > <ijaodiasjiodjsalklksdjakld...@mail.ru > <mailto:ijaodiasjiodjsalklksdjakld...@mail.ru>> wrote: > > > list,sorry for typo > > the first example is not "from ossec-alerts.log" but "from ossec.log" > > cheers. > > > On 29.01.2016 01:49, q wrote: > > Hello list! > > > > OSSEC can "cut" some data from 'full_command' output. > > > > > > > > this is from ossec-alerts.log > > > > ossec: output: 'tcp_netstat': > > Active Internet connections (only servers) > > Proto Recv-Q Send-Q Local Address Foreign > > Address State PID/Program name > > tcp 0 0 0.0.0.0:22 <http://0.0.0.0:22> > > 0.0.0.0:* LISTEN 2743/sshd > > tcp 0 0 0.0.0.0:443 <http://0.0.0.0:443> > > 0.0.0.0:* LISTEN 4865/nginx > > tcp 0 0 0.0.0.0:587 <http://0.0.0.0:587> > > 0.0.0.0:* LISTEN 2623/rsyslogd > > tcp 0 0 0.0.0.0:80 <http://0.0.0.0:80> > > 0.0.0.0:* LISTEN 12159/ossec-authd > > tcp 0 0 ::1:25 > > :::* LISTEN 2996/master > > tcp 0 0 127.0.0.1:25 <http://127.0.0.1:25> > > 0.0.0.0:* LISTEN 2996/master > > tcp 0 0 127.0.0.1:27017 <http://127.0.0.1:27017> > > 0.0.0.0:* LISTEN 5132/mongod > > tcp 0 0 127.0.0.1:3306 <http://127.0.0.1:3306> > > 0.0.0.0:* LISTEN 2885/mysqld > > tcp 0 0 127.0.0.1:3333 <http://127.0.0.1:3333> > > 0.0.0.0:* LISTEN 8089/uwsgi > > tcp 0 0 :::587 > > :::* LISTEN 2623/r > > > > > > > > and this is from ossec-alerts.log > > > > Active Internet connections (only servers) > > Proto Recv-Q Send-Q Local Address Foreign > > Address State PID/Program name > > tcp 0 0 0.0.0.0:22 <http://0.0.0.0:22> > > 0.0.0.0:* LISTEN 2743/sshd > > tcp 0 0 0.0.0.0:443 <http://0.0.0.0:443> > > 0.0.0.0:* LISTEN 4865/nginx > > tcp 0 0 0.0.0.0:587 <http://0.0.0.0:587> > > 0.0.0.0:* LISTEN 2623/rsyslogd > > tcp 0 0 ::1:25 > > :::* LISTEN 2996/master > > tcp 0 0 127.0.0.1:25 <http://127.0.0.1:25> > > 0.0.0.0:* LISTEN 2996/master > > tcp 0 0 127.0.0.1:27017 <http://127.0.0.1:27017> > > 0.0.0.0:* LISTEN 5132/mongod > > tcp 0 0 127.0.0.1:3306 <http://127.0.0.1:3306> > > 0.0.0.0:* LISTEN 2885/mysqld > > tcp 0 0 127.0.0.1:3333 <http://127.0.0.1:3333> > > 0.0.0.0:* LISTEN 8089/uwsgi > > tcp 0 0 :::587 > > :::* LISTEN 2623/rsyslogd > > > > > > > > Last string from /var/ossec/logs/ossec.log > > tcp 0 0 :::587 > > :::* LISTEN 2623/rsyslogd > > > > > > and last string from /var/ossec/logs/alerts/ossec-alerts > > tcp 0 0 :::587 > > :::* LISTEN 2623/r > > > > > > > > Also,check_diff dont works properly due this issue. > > I think it's bug. > > > > > > > > My ossec is 2.8 (rpm from Atomic repo) > > > > part of my config: > > > > <localfile> > > <alias>tcp_netstat</alias> > > <log_format>full_command</log_format> > > <command>netstat -tpln |sort</command> > > </localfile> > > > > > > > > Thank you! > > > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to ossec-list+unsubscr...@googlegroups.com > <mailto:ossec-list%2bunsubscr...@googlegroups.com>. > For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+unsubscr...@googlegroups.com > <mailto:ossec-list+unsubscr...@googlegroups.com>. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
