Hi all, So we ran into an issue with "Large message size" warnings filling up the ossec.log file and causing the file to grow out of control and use up disk space. I went ahead and commented out the lines in read_syslog.c and read_multiline.c to prevent this from happening in the future, but then noticed after starting OSSEC back up, that the full commands weren't running.
I made sure to backup the original ossec-logcollector, and when I restored it and restarted OSSEC, the full commands showed up as running in the ossec.log At first I thought it was the changes I made with commenting out the "Large message size" lines, so I deleted the dir, untarred to a fresh folder, and compiled straight away. Copied the ossec-logcollector over, restarted OSSEC, and no go with full command. Is there something I'm missing when compiling in src/logcollector? I noticed that read_fullcommand.c does exist in this directory.
