Our major limitation is the size of the UDP packet when sending from the agent->manager. We can't reliably split the message into multiple datagrams, so we restrict by size, forcing it to always fit into 1 packet. Moving to TCP would solve this limitation (this is something I am trying to work right now --> move to TCP+OpenSSL for the agent->manager communication).
thanks, On Tue, Feb 2, 2016 at 4:24 PM, Santiago Bassett <[email protected] > wrote: > There are several email threads in this list reporting similar issues. I > recommend you to keep an eye on those as well. Haven't had much time to > look into it, but it seems there are serveral places where the message can > be cut off. In src/headers/defs.h you will find some constants that are use > to limit those sizes. > > This one seems interesting. > > src/headers/defs.h:#*define* OS_MAXSTR OS_SIZE_6144 /* Size for > logs, sockets, etc */ > > On Tue, Feb 2, 2016 at 12:21 PM, q <[email protected]> > wrote: > >> >> Santiago,thank you for idea! >> >> ;) >> >> >> >> >> >> On 02.02.2016 20:30, Santiago Bassett wrote: >> >> I think this is due to a limitation on the alert message size. I guess, >> you will need to look in the code and recompile if you want this to work. >> >> On Thu, Jan 28, 2016 at 3:12 PM, q <[email protected] >> > wrote: >> >>> >>> list,sorry for typo >>> >>> the first example is not "from ossec-alerts.log" but "from ossec.log" >>> >>> cheers. >>> >>> >>> On 29.01.2016 01:49, q wrote: >>> > Hello list! >>> > >>> > OSSEC can "cut" some data from 'full_command' output. >>> > >>> > >>> > >>> > this is from ossec-alerts.log >>> > >>> > ossec: output: 'tcp_netstat': >>> > Active Internet connections (only servers) >>> > Proto Recv-Q Send-Q Local Address Foreign >>> > Address State PID/Program name >>> > tcp 0 0 0.0.0.0:22 >>> > 0.0.0.0:* LISTEN 2743/sshd >>> > tcp 0 0 0.0.0.0:443 >>> > 0.0.0.0:* LISTEN 4865/nginx >>> > tcp 0 0 0.0.0.0:587 >>> > 0.0.0.0:* LISTEN 2623/rsyslogd >>> > tcp 0 0 0.0.0.0:80 >>> > 0.0.0.0:* LISTEN 12159/ossec-authd >>> > tcp 0 0 ::1:25 >>> > :::* LISTEN 2996/master >>> > tcp 0 0 127.0.0.1:25 >>> > 0.0.0.0:* LISTEN 2996/master >>> > tcp 0 0 127.0.0.1:27017 >>> > 0.0.0.0:* LISTEN 5132/mongod >>> > tcp 0 0 127.0.0.1:3306 >>> > 0.0.0.0:* LISTEN 2885/mysqld >>> > tcp 0 0 127.0.0.1:3333 >>> > 0.0.0.0:* LISTEN 8089/uwsgi >>> > tcp 0 0 :::587 >>> > :::* LISTEN 2623/r >>> > >>> > >>> > >>> > and this is from ossec-alerts.log >>> > >>> > Active Internet connections (only servers) >>> > Proto Recv-Q Send-Q Local Address Foreign >>> > Address State PID/Program name >>> > tcp 0 0 0.0.0.0:22 >>> > 0.0.0.0:* LISTEN 2743/sshd >>> > tcp 0 0 0.0.0.0:443 >>> > 0.0.0.0:* LISTEN 4865/nginx >>> > tcp 0 0 0.0.0.0:587 >>> > 0.0.0.0:* LISTEN 2623/rsyslogd >>> > tcp 0 0 ::1:25 >>> > :::* LISTEN 2996/master >>> > tcp 0 0 127.0.0.1:25 >>> > 0.0.0.0:* LISTEN 2996/master >>> > tcp 0 0 127.0.0.1:27017 >>> > 0.0.0.0:* LISTEN 5132/mongod >>> > tcp 0 0 127.0.0.1:3306 >>> > 0.0.0.0:* LISTEN 2885/mysqld >>> > tcp 0 0 127.0.0.1:3333 >>> > 0.0.0.0:* LISTEN 8089/uwsgi >>> > tcp 0 0 :::587 >>> > :::* LISTEN 2623/rsyslogd >>> > >>> > >>> > >>> > Last string from /var/ossec/logs/ossec.log >>> > tcp 0 0 :::587 >>> > :::* LISTEN 2623/rsyslogd >>> > >>> > >>> > and last string from /var/ossec/logs/alerts/ossec-alerts >>> > tcp 0 0 :::587 >>> > :::* LISTEN 2623/r >>> > >>> > >>> > >>> > Also,check_diff dont works properly due this issue. >>> > I think it's bug. >>> > >>> > >>> > >>> > My ossec is 2.8 (rpm from Atomic repo) >>> > >>> > part of my config: >>> > >>> > <localfile> >>> > <alias>tcp_netstat</alias> >>> > <log_format>full_command</log_format> >>> > <command>netstat -tpln |sort</command> >>> > </localfile> >>> > >>> > >>> > >>> > Thank you! >>> > >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
