Dan,yes it's a good idea! thank you ;)
On 02.02.2016 23:38, dan (ddp) wrote: > > Opening an issue on github might also be a good idea. It'll help devs > keep it in mind when they look for things to do. > > On Feb 2, 2016 3:24 PM, "Santiago Bassett" <santiago.bass...@gmail.com > <mailto:santiago.bass...@gmail.com>> wrote: > > There are several email threads in this list reporting similar > issues. I recommend you to keep an eye on those as well. Haven't > had much time to look into it, but it seems there are serveral > places where the message can be cut off. In src/headers/defs.h you > will find some constants that are use to limit those sizes. > > This one seems interesting. > > src/headers/defs.h:#*define*OS_MAXSTR OS_SIZE_6144 /* > Size for logs, sockets, etc */ > > > On Tue, Feb 2, 2016 at 12:21 PM, q > <ijaodiasjiodjsalklksdjakld...@mail.ru > <mailto:ijaodiasjiodjsalklksdjakld...@mail.ru>> wrote: > > > Santiago,thank you for idea! > > ;) > > > > > > On 02.02.2016 20:30, Santiago Bassett wrote: >> I think this is due to a limitation on the alert message >> size. I guess, you will need to look in the code and >> recompile if you want this to work. >> >> On Thu, Jan 28, 2016 at 3:12 PM, q >> <ijaodiasjiodjsalklksdjakld...@mail.ru >> <mailto:ijaodiasjiodjsalklksdjakld...@mail.ru>> wrote: >> >> >> list,sorry for typo >> >> the first example is not "from ossec-alerts.log" but >> "from ossec.log" >> >> cheers. >> >> >> On 29.01.2016 01:49, q wrote: >> > Hello list! >> > >> > OSSEC can "cut" some data from 'full_command' output. >> > >> > >> > >> > this is from ossec-alerts.log >> > >> > ossec: output: 'tcp_netstat': >> > Active Internet connections (only servers) >> > Proto Recv-Q Send-Q Local Address Foreign >> > Address State PID/Program name >> > tcp 0 0 0.0.0.0:22 <http://0.0.0.0:22> >> > 0.0.0.0:* LISTEN 2743/sshd >> > tcp 0 0 0.0.0.0:443 <http://0.0.0.0:443> >> > 0.0.0.0:* LISTEN 4865/nginx >> > tcp 0 0 0.0.0.0:587 <http://0.0.0.0:587> >> > 0.0.0.0:* LISTEN 2623/rsyslogd >> > tcp 0 0 0.0.0.0:80 <http://0.0.0.0:80> >> > 0.0.0.0:* LISTEN >> 12159/ossec-authd >> > tcp 0 0 ::1:25 >> > :::* LISTEN 2996/master >> > tcp 0 0 127.0.0.1:25 <http://127.0.0.1:25> >> > 0.0.0.0:* LISTEN 2996/master >> > tcp 0 0 127.0.0.1:27017 >> <http://127.0.0.1:27017> >> > 0.0.0.0:* LISTEN 5132/mongod >> > tcp 0 0 127.0.0.1:3306 <http://127.0.0.1:3306> >> > 0.0.0.0:* LISTEN 2885/mysqld >> > tcp 0 0 127.0.0.1:3333 <http://127.0.0.1:3333> >> > 0.0.0.0:* LISTEN 8089/uwsgi >> > tcp 0 0 :::587 >> > :::* LISTEN 2623/r >> > >> > >> > >> > and this is from ossec-alerts.log >> > >> > Active Internet connections (only servers) >> > Proto Recv-Q Send-Q Local Address Foreign >> > Address State PID/Program name >> > tcp 0 0 0.0.0.0:22 <http://0.0.0.0:22> >> > 0.0.0.0:* LISTEN 2743/sshd >> > tcp 0 0 0.0.0.0:443 <http://0.0.0.0:443> >> > 0.0.0.0:* LISTEN 4865/nginx >> > tcp 0 0 0.0.0.0:587 <http://0.0.0.0:587> >> > 0.0.0.0:* LISTEN 2623/rsyslogd >> > tcp 0 0 ::1:25 >> > :::* LISTEN 2996/master >> > tcp 0 0 127.0.0.1:25 <http://127.0.0.1:25> >> > 0.0.0.0:* LISTEN 2996/master >> > tcp 0 0 127.0.0.1:27017 >> <http://127.0.0.1:27017> >> > 0.0.0.0:* LISTEN 5132/mongod >> > tcp 0 0 127.0.0.1:3306 <http://127.0.0.1:3306> >> > 0.0.0.0:* LISTEN 2885/mysqld >> > tcp 0 0 127.0.0.1:3333 <http://127.0.0.1:3333> >> > 0.0.0.0:* LISTEN 8089/uwsgi >> > tcp 0 0 :::587 >> > :::* LISTEN 2623/rsyslogd >> > >> > >> > >> > Last string from /var/ossec/logs/ossec.log >> > tcp 0 0 :::587 >> > :::* LISTEN 2623/rsyslogd >> > >> > >> > and last string from /var/ossec/logs/alerts/ossec-alerts >> > tcp 0 0 :::587 >> > :::* LISTEN 2623/r >> > >> > >> > >> > Also,check_diff dont works properly due this issue. >> > I think it's bug. >> > >> > >> > >> > My ossec is 2.8 (rpm from Atomic repo) >> > >> > part of my config: >> > >> > <localfile> >> > <alias>tcp_netstat</alias> >> > <log_format>full_command</log_format> >> > <command>netstat -tpln |sort</command> >> > </localfile> >> > >> > >> > >> > Thank you! >> > >> >> -- >> >> --- >> You received this message because you are subscribed to >> the Google Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails >> from it, send an email to >> ossec-list+unsubscr...@googlegroups.com >> <mailto:ossec-list%2bunsubscr...@googlegroups.com>. >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> >> --- >> You received this message because you are subscribed to the >> Google Groups "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from >> it, send an email to ossec-list+unsubscr...@googlegroups.com >> <mailto:ossec-list+unsubscr...@googlegroups.com>. >> For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the > Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from > it, send an email to ossec-list+unsubscr...@googlegroups.com > <mailto:ossec-list+unsubscr...@googlegroups.com>. > For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to ossec-list+unsubscr...@googlegroups.com > <mailto:ossec-list+unsubscr...@googlegroups.com>. > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to ossec-list+unsubscr...@googlegroups.com > <mailto:ossec-list+unsubscr...@googlegroups.com>. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
