BTW: The initial cause of this issue seems to be related to requests too long for OSSEC to handle. But OSSEC shouldn't grow the logs so tremendously huge when it encounters multiple events that are too large. I think this might be a bug. This is a snippet of what I see when looking at an ossec.log that has grown out of control
"'2011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec-logcollector: Large me ssage size: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec-logc ollector: Large message size: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 o ssec-logcollector: Large message size: '2011/08/07 23:38:01 ossec- logcollector: Large message size: '2011/08/07 2 3:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '201 1/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec-logcollector: Large message s ize: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec-logcollecto r: Large message size: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec-lo gcollector: Large message size: '2011/08/07 23:38:01 ossec- logcollector: Large message size: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec- logcollector: Large message size: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '2 011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec-logcollector: Larg e message size: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec-logcollec tor: Large message size: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec- logcollector: Large message size: '2011/08/07 23:38:01 ossec- logcollector: Large message size: '2011/08/07 23:38: 01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec- logcollector: Large message size: '2011/08/ 07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec-logcollector: Large messa ge size: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec-logcollector: La rge message size: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec-logcoll ector: Large message size: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 osse c-logcollector: Large message size: '2011/08/07 23:38:01 ossec- logcollector: Large message size: '2011/08/07 23:3 8:01 ossec-logcollector: Large message size: '2011/08/07 23:38:01 ossec-logcollector: Large message size: '2011/0 8/07 23:38:01 ossec-logcollector: " It seems like it gets into a loop that starts spewing out the "Large message size" because it seems to start reading each word as a line at some point (maybe when the event is a certain # of words long). I'll have to research more, but has anyone else come across this? On Aug 7, 8:08 am, Jeremy Lee <[email protected]> wrote: > Thanks Dan, that seemed to have worked. > > > > > > > > On Sat, Aug 6, 2011 at 11:48 AM, Jeremy Lee <[email protected]> wrote: > > Good idea.... I'll give that a shot. > > > Sent from my Verizon Wireless Phone > > > -----Original Message----- > > From: dan (ddp) <[email protected]> > > Sent: Saturday, August 06, 2011 10:48 AM > > To: [email protected] > > Subject: Re: [ossec-list] Re: Recompiling ossec-logcollector and full > > command? > > > On Sat, Aug 6, 2011 at 1:15 PM, Jeremy Lee <[email protected]> wrote: > > > This is 2.5.1 > > > We thought about just upgrading to 2.6 but we need the full_command > > > functionality in the agent.conf > > > I'm not sure what is different about the install.sh compilation of > > > ossec-logcollector, but I know that when I compile from source it doesn't > > > work. > > > I basically did this: > > > 1) in src, run "make all" (also tried just "make libs") > > > 2) in src/logcollector, run "make" > > > 3) cp src/logcollector/ossec-logcollector /var/ossec/bin > > > 4) restart OSSEC > > > 5) OSSEC.log loads only what's in ossec.conf > > > Why not modify the src and re-run the install.sh? > > Also, diff? > > > > On Sat, Aug 6, 2011 at 9:50 AM, dan (ddp) <[email protected]> wrote: > > > >> Which version of OSSEC? > > > >> On Sat, Aug 6, 2011 at 12:14 PM, jplee3 <[email protected]> wrote: > > >> > Nevermind my last comment about ossec.conf not being read properly. I > > >> > must have not saved it after editing...doh. > > > >> > It seems to work fine. But agent.conf doesn't seem to be processed in > > >> > still. > > > >> > On Aug 5, 4:54 pm, jplee3 <[email protected]> wrote: > > >> >> Hi all, > > > >> >> So we ran into an issue with "Large message size" warnings filling up > > >> >> the ossec.log file and causing the file to grow out of control and > > use > > >> >> up disk space. I went ahead and commented out the lines in > > >> >> read_syslog.c and read_multiline.c to prevent this from happening in > > >> >> the future, but then noticed after starting OSSEC back up, that the > > >> >> full commands weren't running. > > > >> >> I made sure to backup the original ossec-logcollector, and when I > > >> >> restored it and restarted OSSEC, the full commands showed up as > > >> >> running in the ossec.log > > > >> >> At first I thought it was the changes I made with commenting out the > > >> >> "Large message size" lines, so I deleted the dir, untarred to a fresh > > >> >> folder, and compiled straight away. Copied the ossec-logcollector > > >> >> over, restarted OSSEC, and no go with full command. > > > >> >> Is there something I'm missing when compiling in src/logcollector? I > > >> >> noticed that read_fullcommand.c does exist in this directory.
