How big are those logs, do you have an example? This kind of behavior has been reported several times in the last few days (for different use cases). Haven't had time to look into it but I assume is a limitation in the alert size. Have you tried using logall option? Do you see the complete event in archives.log?
Thank you On Mon, Feb 1, 2016 at 4:29 AM, LGuerra <aza...@gmail.com> wrote: > Hi, > > I have an OSSEC Server receiving IIS logs from several servers via agent > configuration: > > ex: > > > > * <localfile> <location>PATH/W3SVCx/u_ex%y%m%d%H.log</location> > <log_format>iis</log_format> </localfile>* > > Everything works like a charm. However, some of my IIS logs are longer > than usual (more than 1256 chars long). When this happens, Alerts are > equally (and correctly) generated but alert.log doesn't contain the full > log line, only 1256. The rest is cutted (including Client IP which is at > the end of the log). > > When I run ossec-logtest, I can see that the log is correctly passed > decoded/tested and the alert is correctly generated. However if I pass only > 1256 chars of the same log line, decoder will fail and it will give me a > standard rule output e.g. "Access log messages grouped." with no error. > This gives me the impression that the limitation is somewhere on the > ossec-analysis output. > > Does anyone ever run into something like this? > Is there any size value I can change to correct this? > > Thanks in advance! > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
