Even at 2048 I get occasional hits. :-\
On Wednesday, June 27, 2018 at 5:48:44 AM UTC-7, dan (ddpbsd) wrote:
>
> On Mon, Jun 25, 2018 at 2:55 PM, Mark M <pla...@gmail.com <javascript:>>
> wrote:
> >
> > Thanks Dan. Should I titrate the number down as far as possible, or does
> it
> > matter really?
> >
>
> I'm not sure it matters too much. OSSEC needs to move forward at some
> point.
> 2048 seems reasonable.
>
> >
> > On Saturday, June 23, 2018 at 2:59:25 PM UTC-7, dan (ddpbsd) wrote:
> >>
> >> On Fri, Jun 22, 2018 at 8:19 PM, Mark M <pla...@gmail.com> wrote:
> >> >
> >> > Since going to CentOS 7, and installing BigFix on all systems I get a
> >> > LOT of
> >> > syslog rule 1003 (file too large) messages.
> >> >
> >> > <rule id="1003" level="13" maxsize="1025">
> >> > <description>Non standard syslog message (size too
> >> > large).</description>
> >> > </rule>
> >> >
> >> > What was used to determine the 1025 number? Is this meant to be
> >> > adjusted, or
> >> > is it a moving target for the maintainers that needs to be revisited?
> >> >
> >>
> >> In the past syslog was limited to 1024 bytes,s o longer messages
> >> didn't follow the rules. This can probably be adjusted now.
> >> I think some of the OSSEC internals may still be limited to 1024
> >> though, so these would eventually have to be raised (but I haven't
> >> looked
> >> at this in a while, so I could be remembering old info)
> >>
> >> > OSSEC Log sample:
> >> >
> >> > ** Alert 1529706477.1462418: mail - syslog,errors,
> >> > 2018 Jun 22 15:27:57 (aspen) xxx.xxx.xxx.xxx->/var/log/secure
> >> > Rule: 1003 (level 13) -> 'Non standard syslog message (size too
> large).'
> >> > Jun 22 15:27:57 aspen audisp-graylog:
> >> > {"audit_category":"write","audit_summary":"Write:
> >> >
> >> >
> /var/opt/BESClient/__BESData/__Global/UsageData/pickup.stat","audit_hostname":"xxx.xxx.xxx.xxx","audit_timestamp":"2018-06-22T15:27:57-0700","audit_plugin":"audisp-graylog","audit_version":"1.0.0","audit":{"serial":"757820","rdev":"00:00","ogid":"0","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESClient/__BESData/__Global/UsageData/pickup.stat","serial":"757820","rdev":"00:00","ogid":"0","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESClient/__BESData/__Global/UsageData/pickup.stattmp","serial":"757820","rdev":"00:00","ogid":"0","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESClient/__BESData/__Global/UsageData/","serial":"757820","rdev":"00:00","ogid":"0","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESClient/__BESData/__Global/UsageData/","serial":"757820","cwd":"/home/mmoorcro","serial":"757820","session":"356","fsgid":"0","sgid":"0","egid":"0","fsuid":"0","suid":"0","euid":"0","gid":"0","pid":"104939","ppid":"1","process":"/opt/BESClient/bin/BESClient","tty":"(none)","uid":"0","user":"root","originaluid":"853945932","orig
>
>
> >> >
> >> >
> >> > Actual log event:
> >> >
> >> > Jun 22 15:27:57 aspen audisp-graylog:
> >> > {"audit_category":"write","audit_summary":"Write:
> >> >
> >> >
> /var/opt/BESClient/__BESData/__Global/UsageData/pickup.stat","audit_hostname":"xxx.xxx.xxx.xxx","audit_timestamp":"2018-06-22T15:27:57-0700","audit_plugin":"audisp-graylog","audit_version":"1.0.0","audit":{"serial":"757820","rdev":"00:00","ogid":"0","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESClient/__BESData/__Global/UsageData/pickup.stat","serial":"757820","rdev":"00:00","ogid":"0","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESClient/__BESData/__Global/UsageData/pickup.stattmp","serial":"757820","rdev":"00:00","ogid":"0","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESClient/__BESData/__Global/UsageData/","serial":"757820","rdev":"00:00","ogid":"0","ouid":"0","mode":"040700","dev":"fd:06","inode":"8716650","path":"/var/opt/BESClient/__BESData/__Global/UsageData/","serial":"757820","cwd":"/home/mmoorcro","serial":"757820","session":"356","fsgid":"0","sgid":"0","egid":"0","fsuid":"0","suid":"0","euid":"0","gid":"0","pid":"104939","ppid":"1","process":"/opt/BESClient/bin/BESClient","tty":"(none)","uid":"0","user":"root","originaluid":"853945932","originaluser":"mmoorcro","parentprocess":"systemd","auditkey":"delete","processname":"BESClient","serial":"757820"}}
>
>
> >> >
> >> >
> >> > I grant you that the audisp-graylog plugin has some issues.
> >> > Unfortunately
> >> > the author is probably never going to look at it again. Regardless,
> if I
> >> > double 1025 to 2048, the 1003 messages stop. I'm also wondering about
> >> > the
> >> > messages being truncated in the OSSEC log. Presumably changes to the
> >> > syslog
> >> > rule may get overwritten at any time.
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it,
> send
> >> > an
> >> > email to ossec-list+...@googlegroups.com.
> >> > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an
> > email to ossec-list+...@googlegroups.com <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
