I think this is due to a limitation on the alert message size. I guess, you will need to look in the code and recompile if you want this to work.
On Thu, Jan 28, 2016 at 3:12 PM, q <[email protected]> wrote: > > list,sorry for typo > > the first example is not "from ossec-alerts.log" but "from ossec.log" > > cheers. > > > On 29.01.2016 01:49, q wrote: > > Hello list! > > > > OSSEC can "cut" some data from 'full_command' output. > > > > > > > > this is from ossec-alerts.log > > > > ossec: output: 'tcp_netstat': > > Active Internet connections (only servers) > > Proto Recv-Q Send-Q Local Address Foreign > > Address State PID/Program name > > tcp 0 0 0.0.0.0:22 > > 0.0.0.0:* LISTEN 2743/sshd > > tcp 0 0 0.0.0.0:443 > > 0.0.0.0:* LISTEN 4865/nginx > > tcp 0 0 0.0.0.0:587 > > 0.0.0.0:* LISTEN 2623/rsyslogd > > tcp 0 0 0.0.0.0:80 > > 0.0.0.0:* LISTEN 12159/ossec-authd > > tcp 0 0 ::1:25 > > :::* LISTEN 2996/master > > tcp 0 0 127.0.0.1:25 > > 0.0.0.0:* LISTEN 2996/master > > tcp 0 0 127.0.0.1:27017 > > 0.0.0.0:* LISTEN 5132/mongod > > tcp 0 0 127.0.0.1:3306 > > 0.0.0.0:* LISTEN 2885/mysqld > > tcp 0 0 127.0.0.1:3333 > > 0.0.0.0:* LISTEN 8089/uwsgi > > tcp 0 0 :::587 > > :::* LISTEN 2623/r > > > > > > > > and this is from ossec-alerts.log > > > > Active Internet connections (only servers) > > Proto Recv-Q Send-Q Local Address Foreign > > Address State PID/Program name > > tcp 0 0 0.0.0.0:22 > > 0.0.0.0:* LISTEN 2743/sshd > > tcp 0 0 0.0.0.0:443 > > 0.0.0.0:* LISTEN 4865/nginx > > tcp 0 0 0.0.0.0:587 > > 0.0.0.0:* LISTEN 2623/rsyslogd > > tcp 0 0 ::1:25 > > :::* LISTEN 2996/master > > tcp 0 0 127.0.0.1:25 > > 0.0.0.0:* LISTEN 2996/master > > tcp 0 0 127.0.0.1:27017 > > 0.0.0.0:* LISTEN 5132/mongod > > tcp 0 0 127.0.0.1:3306 > > 0.0.0.0:* LISTEN 2885/mysqld > > tcp 0 0 127.0.0.1:3333 > > 0.0.0.0:* LISTEN 8089/uwsgi > > tcp 0 0 :::587 > > :::* LISTEN 2623/rsyslogd > > > > > > > > Last string from /var/ossec/logs/ossec.log > > tcp 0 0 :::587 > > :::* LISTEN 2623/rsyslogd > > > > > > and last string from /var/ossec/logs/alerts/ossec-alerts > > tcp 0 0 :::587 > > :::* LISTEN 2623/r > > > > > > > > Also,check_diff dont works properly due this issue. > > I think it's bug. > > > > > > > > My ossec is 2.8 (rpm from Atomic repo) > > > > part of my config: > > > > <localfile> > > <alias>tcp_netstat</alias> > > <log_format>full_command</log_format> > > <command>netstat -tpln |sort</command> > > </localfile> > > > > > > > > Thank you! > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
