Hi all, I've written a custom decoder and rules for Oracle DB audits. Since I need to audit also the complete SQL text, sometimes the log message exceeds the 1025 chars limit of a standard syslog message, and this rule is triggered:
<rule id="1003" level="13" maxsize="1025"> <description>Non standard syslog message (size too large).</description> </rule> I've found many posts online about ignoring/overwriting the rule, but doing that won't generate any alert at all or at least it will overwrite even my custom rules. I'd like instead to do so that these long logs are matched against my rules, "skipping" the rule above. Is there a way to do it without modifying the original rule #1003? Thanks, Luca -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
