>From src/headers/defs.h, here are some interesting constants #define OS_MAXSTR OS_SIZE_6144 /* Size for logs, sockets, etc */
#define OS_BUFFER_SIZE OS_SIZE_2048 /* Size of general buffers */ #define OS_FLSIZE OS_SIZE_256 /* Maximum file size */ #define OS_HEADER_SIZE OS_SIZE_128 /* Maximum header size */ #define OS_LOG_HEADER OS_SIZE_256 /* Maximum log header size */ #define IPSIZE 16 /* IP Address size */ On Tue, Feb 2, 2016 at 10:33 AM, Santiago Bassett < [email protected]> wrote: > How big are those logs, do you have an example? > > This kind of behavior has been reported several times in the last few days > (for different use cases). Haven't had time to look into it but I assume is > a limitation in the alert size. Have you tried using logall option? Do you > see the complete event in archives.log? > > Thank you > > On Mon, Feb 1, 2016 at 4:29 AM, LGuerra <[email protected]> wrote: > >> Hi, >> >> I have an OSSEC Server receiving IIS logs from several servers via agent >> configuration: >> >> ex: >> >> >> >> * <localfile> <location>PATH/W3SVCx/u_ex%y%m%d%H.log</location> >> <log_format>iis</log_format> </localfile>* >> >> Everything works like a charm. However, some of my IIS logs are longer >> than usual (more than 1256 chars long). When this happens, Alerts are >> equally (and correctly) generated but alert.log doesn't contain the full >> log line, only 1256. The rest is cutted (including Client IP which is at >> the end of the log). >> >> When I run ossec-logtest, I can see that the log is correctly passed >> decoded/tested and the alert is correctly generated. However if I pass only >> 1256 chars of the same log line, decoder will fail and it will give me a >> standard rule output e.g. "Access log messages grouped." with no error. >> This gives me the impression that the limitation is somewhere on the >> ossec-analysis output. >> >> Does anyone ever run into something like this? >> Is there any size value I can change to correct this? >> >> Thanks in advance! >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
