There are several email threads in this list reporting similar issues. I recommend you to keep an eye on those as well. Haven't had much time to look into it, but it seems there are serveral places where the message can be cut off. In src/headers/defs.h you will find some constants that are use to limit those sizes.
This one seems interesting. src/headers/defs.h:#*define* OS_MAXSTR OS_SIZE_6144 /* Size for logs, sockets, etc */ On Tue, Feb 2, 2016 at 12:21 PM, q <[email protected]> wrote: > > Santiago,thank you for idea! > > ;) > > > > > > On 02.02.2016 20:30, Santiago Bassett wrote: > > I think this is due to a limitation on the alert message size. I guess, > you will need to look in the code and recompile if you want this to work. > > On Thu, Jan 28, 2016 at 3:12 PM, q <[email protected]> > wrote: > >> >> list,sorry for typo >> >> the first example is not "from ossec-alerts.log" but "from ossec.log" >> >> cheers. >> >> >> On 29.01.2016 01:49, q wrote: >> > Hello list! >> > >> > OSSEC can "cut" some data from 'full_command' output. >> > >> > >> > >> > this is from ossec-alerts.log >> > >> > ossec: output: 'tcp_netstat': >> > Active Internet connections (only servers) >> > Proto Recv-Q Send-Q Local Address Foreign >> > Address State PID/Program name >> > tcp 0 0 0.0.0.0:22 >> > 0.0.0.0:* LISTEN 2743/sshd >> > tcp 0 0 0.0.0.0:443 >> > 0.0.0.0:* LISTEN 4865/nginx >> > tcp 0 0 0.0.0.0:587 >> > 0.0.0.0:* LISTEN 2623/rsyslogd >> > tcp 0 0 0.0.0.0:80 >> > 0.0.0.0:* LISTEN 12159/ossec-authd >> > tcp 0 0 ::1:25 >> > :::* LISTEN 2996/master >> > tcp 0 0 127.0.0.1:25 >> > 0.0.0.0:* LISTEN 2996/master >> > tcp 0 0 127.0.0.1:27017 >> > 0.0.0.0:* LISTEN 5132/mongod >> > tcp 0 0 127.0.0.1:3306 >> > 0.0.0.0:* LISTEN 2885/mysqld >> > tcp 0 0 127.0.0.1:3333 >> > 0.0.0.0:* LISTEN 8089/uwsgi >> > tcp 0 0 :::587 >> > :::* LISTEN 2623/r >> > >> > >> > >> > and this is from ossec-alerts.log >> > >> > Active Internet connections (only servers) >> > Proto Recv-Q Send-Q Local Address Foreign >> > Address State PID/Program name >> > tcp 0 0 0.0.0.0:22 >> > 0.0.0.0:* LISTEN 2743/sshd >> > tcp 0 0 0.0.0.0:443 >> > 0.0.0.0:* LISTEN 4865/nginx >> > tcp 0 0 0.0.0.0:587 >> > 0.0.0.0:* LISTEN 2623/rsyslogd >> > tcp 0 0 ::1:25 >> > :::* LISTEN 2996/master >> > tcp 0 0 127.0.0.1:25 >> > 0.0.0.0:* LISTEN 2996/master >> > tcp 0 0 127.0.0.1:27017 >> > 0.0.0.0:* LISTEN 5132/mongod >> > tcp 0 0 127.0.0.1:3306 >> > 0.0.0.0:* LISTEN 2885/mysqld >> > tcp 0 0 127.0.0.1:3333 >> > 0.0.0.0:* LISTEN 8089/uwsgi >> > tcp 0 0 :::587 >> > :::* LISTEN 2623/rsyslogd >> > >> > >> > >> > Last string from /var/ossec/logs/ossec.log >> > tcp 0 0 :::587 >> > :::* LISTEN 2623/rsyslogd >> > >> > >> > and last string from /var/ossec/logs/alerts/ossec-alerts >> > tcp 0 0 :::587 >> > :::* LISTEN 2623/r >> > >> > >> > >> > Also,check_diff dont works properly due this issue. >> > I think it's bug. >> > >> > >> > >> > My ossec is 2.8 (rpm from Atomic repo) >> > >> > part of my config: >> > >> > <localfile> >> > <alias>tcp_netstat</alias> >> > <log_format>full_command</log_format> >> > <command>netstat -tpln |sort</command> >> > </localfile> >> > >> > >> > >> > Thank you! >> > >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
