I actually tried modifying the ossec.conf and ran into the same issue where OSSEC now doesn't seem to read any of its conf filse. This is strange. Why would this be happening?
On Aug 5, 4:54 pm, jplee3 <[email protected]> wrote: > Hi all, > > So we ran into an issue with "Large message size" warnings filling up > the ossec.log file and causing the file to grow out of control and use > up disk space. I went ahead and commented out the lines in > read_syslog.c and read_multiline.c to prevent this from happening in > the future, but then noticed after starting OSSEC back up, that the > full commands weren't running. > > I made sure to backup the original ossec-logcollector, and when I > restored it and restarted OSSEC, the full commands showed up as > running in the ossec.log > > At first I thought it was the changes I made with commenting out the > "Large message size" lines, so I deleted the dir, untarred to a fresh > folder, and compiled straight away. Copied the ossec-logcollector > over, restarted OSSEC, and no go with full command. > > Is there something I'm missing when compiling in src/logcollector? I > noticed that read_fullcommand.c does exist in this directory.
