Hi, I have an OSSEC Server receiving IIS logs from several servers via agent configuration:
ex: * <localfile> <location>PATH/W3SVCx/u_ex%y%m%d%H.log</location> <log_format>iis</log_format> </localfile>* Everything works like a charm. However, some of my IIS logs are longer than usual (more than 1256 chars long). When this happens, Alerts are equally (and correctly) generated but alert.log doesn't contain the full log line, only 1256. The rest is cutted (including Client IP which is at the end of the log). When I run ossec-logtest, I can see that the log is correctly passed decoded/tested and the alert is correctly generated. However if I pass only 1256 chars of the same log line, decoder will fail and it will give me a standard rule output e.g. "Access log messages grouped." with no error. This gives me the impression that the limitation is somewhere on the ossec-analysis output. Does anyone ever run into something like this? Is there any size value I can change to correct this? Thanks in advance! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
