Thanks Dan, that seemed to have worked. On Sat, Aug 6, 2011 at 11:48 AM, Jeremy Lee <[email protected]> wrote:
> Good idea.... I'll give that a shot. > > Sent from my Verizon Wireless Phone > > -----Original Message----- > From: dan (ddp) <[email protected]> > Sent: Saturday, August 06, 2011 10:48 AM > To: [email protected] > Subject: Re: [ossec-list] Re: Recompiling ossec-logcollector and full > command? > > > On Sat, Aug 6, 2011 at 1:15 PM, Jeremy Lee <[email protected]> wrote: > > This is 2.5.1 > > We thought about just upgrading to 2.6 but we need the full_command > > functionality in the agent.conf > > I'm not sure what is different about the install.sh compilation of > > ossec-logcollector, but I know that when I compile from source it doesn't > > work. > > I basically did this: > > 1) in src, run "make all" (also tried just "make libs") > > 2) in src/logcollector, run "make" > > 3) cp src/logcollector/ossec-logcollector /var/ossec/bin > > 4) restart OSSEC > > 5) OSSEC.log loads only what's in ossec.conf > > Why not modify the src and re-run the install.sh? > Also, diff? > > > On Sat, Aug 6, 2011 at 9:50 AM, dan (ddp) <[email protected]> wrote: > >> > >> Which version of OSSEC? > >> > >> On Sat, Aug 6, 2011 at 12:14 PM, jplee3 <[email protected]> wrote: > >> > Nevermind my last comment about ossec.conf not being read properly. I > >> > must have not saved it after editing...doh. > >> > > >> > It seems to work fine. But agent.conf doesn't seem to be processed in > >> > still. > >> > > >> > On Aug 5, 4:54 pm, jplee3 <[email protected]> wrote: > >> >> Hi all, > >> >> > >> >> So we ran into an issue with "Large message size" warnings filling up > >> >> the ossec.log file and causing the file to grow out of control and > use > >> >> up disk space. I went ahead and commented out the lines in > >> >> read_syslog.c and read_multiline.c to prevent this from happening in > >> >> the future, but then noticed after starting OSSEC back up, that the > >> >> full commands weren't running. > >> >> > >> >> I made sure to backup the original ossec-logcollector, and when I > >> >> restored it and restarted OSSEC, the full commands showed up as > >> >> running in the ossec.log > >> >> > >> >> At first I thought it was the changes I made with commenting out the > >> >> "Large message size" lines, so I deleted the dir, untarred to a fresh > >> >> folder, and compiled straight away. Copied the ossec-logcollector > >> >> over, restarted OSSEC, and no go with full command. > >> >> > >> >> Is there something I'm missing when compiling in src/logcollector? I > >> >> noticed that read_fullcommand.c does exist in this directory. > > > > >
