Even at 2048 I get occasional hits. :-\ On Wednesday, June 27, 2018 at 5:48:44 AM UTC-7, dan (ddpbsd) wrote: > > On Mon, Jun 25, 2018 at 2:55 PM, Mark M <pla...@gmail.com <javascript:>> > wrote: > > > > Thanks Dan. Should I titrate the number down as far as possible, or does > it > > matter really? > > > > I'm not sure it matters too much. OSSEC needs to move forward at some > point. > 2048 seems reasonable. > > > > > On Saturday, June 23, 2018 at 2:59:25 PM UTC-7, dan (ddpbsd) wrote: > >> > >> On Fri, Jun 22, 2018 at 8:19 PM, Mark M <pla...@gmail.com> wrote: > >> > > >> > Since going to CentOS 7, and installing BigFix on all systems I get a > >> > LOT of > >> > syslog rule 1003 (file too large) messages. > >> > > >> > <rule id="1003" level="13" maxsize="1025"> > >> > <description>Non standard syslog message (size too > >> > large).</description> > >> > </rule> > >> > > >> > What was used to determine the 1025 number? Is this meant to be > >> > adjusted, or > >> > is it a moving target for the maintainers that needs to be revisited? > >> > > >> > >> In the past syslog was limited to 1024 bytes,s o longer messages > >> didn't follow the rules. This can probably be adjusted now. > >> I think some of the OSSEC internals may still be limited to 1024 > >> though, so these would eventually have to be raised (but I haven't > >> looked > >> at this in a while, so I could be remembering old info) > >> > >> > OSSEC Log sample: > >> > > >> > ** Alert 1529706477.1462418: mail - syslog,errors, > >> > 2018 Jun 22 15:27:57 (aspen) xxx.xxx.xxx.xxx->/var/log/secure > >> > Rule: 1003 (level 13) -> 'Non standard syslog message (size too > large).' > >> > Jun 22 15:27:57 aspen audisp-graylog: > >> > {"audit_category":"write","audit_summary":"Write: > >> > > >> > > /var/opt/BESClient/__BESData/__Global/UsageData/pickup.stat","audit_hostname":"xxx.xxx.xxx.xxx","audit_timestamp":"2018-06-22T15:27:57-0700","audit_plugin":"audisp-graylog","audit_version":"1.0.0","audit":{"serial":"757820","rdev":"00:00","ogid":"0","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESClient/__BESData/__Global/UsageData/pickup.stat","serial":"757820","rdev":"00:00","ogid":"0","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESClient/__BESData/__Global/UsageData/pickup.stattmp","serial":"757820","rdev":"00:00","ogid":"0","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESClient/__BESData/__Global/UsageData/","serial":"757820","rdev":"00:00","ogid":"0","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESClient/__BESData/__Global/UsageData/","serial":"757820","cwd":"/home/mmoorcro","serial":"757820","session":"356","fsgid":"0","sgid":"0","egid":"0","fsuid":"0","suid":"0","euid":"0","gid":"0","pid":"104939","ppid":"1","process":"/opt/BESClient/bin/BESClient","tty":"(none)","uid":"0","user":"root","originaluid":"853945932","orig > > > >> > > >> > > >> > Actual log event: > >> > > >> > Jun 22 15:27:57 aspen audisp-graylog: > >> > {"audit_category":"write","audit_summary":"Write: > >> > > >> > > /var/opt/BESClient/__BESData/__Global/UsageData/pickup.stat","audit_hostname":"xxx.xxx.xxx.xxx","audit_timestamp":"2018-06-22T15:27:57-0700","audit_plugin":"audisp-graylog","audit_version":"1.0.0","audit":{"serial":"757820","rdev":"00:00","ogid":"0","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESClient/__BESData/__Global/UsageData/pickup.stat","serial":"757820","rdev":"00:00","ogid":"0","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESClient/__BESData/__Global/UsageData/pickup.stattmp","serial":"757820","rdev":"00:00","ogid":"0","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESClient/__BESData/__Global/UsageData/","serial":"757820","rdev":"00:00","ogid":"0","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESClient/__BESData/__Global/UsageData/","serial":"757820","cwd":"/home/mmoorcro","serial":"757820","session":"356","fsgid":"0","sgid":"0","egid":"0","fsuid":"0","suid":"0","euid":"0","gid":"0","pid":"104939","ppid":"1","process":"/opt/BESClient/bin/BESClient","tty":"(none)","uid":"0","user":"root","originaluid":"853945932","originaluser":"mmoorcro","parentprocess":"systemd","auditkey":"delete","processname":"BESClient","serial":"757820"}} > > > >> > > >> > > >> > I grant you that the audisp-graylog plugin has some issues. > >> > Unfortunately > >> > the author is probably never going to look at it again. Regardless, > if I > >> > double 1025 to 2048, the 1003 messages stop. I'm also wondering about > >> > the > >> > messages being truncated in the OSSEC log. Presumably changes to the > >> > syslog > >> > rule may get overwritten at any time. > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to ossec-list+...@googlegroups.com. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to ossec-list+...@googlegroups.com <javascript:>. > > For more options, visit https://groups.google.com/d/optout. >
-- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.