On Mon, Jan 27, 2014 at 8:16 AM, Michiel van Es <[email protected]> wrote: > Hi, > > Is anyone using OSSEC => syslog => Logstash => Kibana for their setup? > We found out that the netstat -tan diff ran by syscheck gives only the first > line of the diff: > > <132>Jan 27 11:37:43 local-machine-001 ossec: Alert Level: 7; Rule: 533 - > Listened ports status (netstat) > > changed (new port opened or closed).; Location: local-machine-001->netstat > -tan |grep LISTEN |grep -v 127.0.0.1 | sort; ossec: output: > > 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort' and it does not show > the diff output (the 2 netstat -tan outputs). > > Does anyone else has this issue and if so, how did you fix it with > (r)syslog? > OSSEC 2.7.1 on Red Hat 6 64 bit (Atomic repo) and OSSEC and Logstash/Kibana > run on 2 seperate machines. >
I haven't looked into this really, but I think the syslog output is limited to 1024(?)k (an old syslog limit). diffs wouldn't really transfer via syslog very well anyways, so I'm not sure they'd be worth it. > Michiel > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
