That would be more than awesome! On Tue, Feb 2, 2016 at 1:27 PM, Daniel Cid <[email protected]> wrote:
> Our major limitation is the size of the UDP packet when sending from the > agent->manager. We can't reliably split the message into multiple > datagrams, so we restrict by size, forcing it to always fit into 1 packet. > Moving to TCP would > solve this limitation (this is something I am trying to work right now > --> move to TCP+OpenSSL for the agent->manager communication). > > thanks, > > On Tue, Feb 2, 2016 at 4:24 PM, Santiago Bassett < > [email protected]> wrote: > >> There are several email threads in this list reporting similar issues. I >> recommend you to keep an eye on those as well. Haven't had much time to >> look into it, but it seems there are serveral places where the message can >> be cut off. In src/headers/defs.h you will find some constants that are use >> to limit those sizes. >> >> This one seems interesting. >> >> src/headers/defs.h:#*define* OS_MAXSTR OS_SIZE_6144 /* Size for >> logs, sockets, etc */ >> >> On Tue, Feb 2, 2016 at 12:21 PM, q <[email protected] >> > wrote: >> >>> >>> Santiago,thank you for idea! >>> >>> ;) >>> >>> >>> >>> >>> >>> On 02.02.2016 20:30, Santiago Bassett wrote: >>> >>> I think this is due to a limitation on the alert message size. I guess, >>> you will need to look in the code and recompile if you want this to work. >>> >>> On Thu, Jan 28, 2016 at 3:12 PM, q < >>> [email protected]> wrote: >>> >>>> >>>> list,sorry for typo >>>> >>>> the first example is not "from ossec-alerts.log" but "from ossec.log" >>>> >>>> cheers. >>>> >>>> >>>> On 29.01.2016 01:49, q wrote: >>>> > Hello list! >>>> > >>>> > OSSEC can "cut" some data from 'full_command' output. >>>> > >>>> > >>>> > >>>> > this is from ossec-alerts.log >>>> > >>>> > ossec: output: 'tcp_netstat': >>>> > Active Internet connections (only servers) >>>> > Proto Recv-Q Send-Q Local Address Foreign >>>> > Address State PID/Program name >>>> > tcp 0 0 0.0.0.0:22 >>>> > 0.0.0.0:* LISTEN 2743/sshd >>>> > tcp 0 0 0.0.0.0:443 >>>> > 0.0.0.0:* LISTEN 4865/nginx >>>> > tcp 0 0 0.0.0.0:587 >>>> > 0.0.0.0:* LISTEN 2623/rsyslogd >>>> > tcp 0 0 0.0.0.0:80 >>>> > 0.0.0.0:* LISTEN 12159/ossec-authd >>>> > tcp 0 0 ::1:25 >>>> > :::* LISTEN 2996/master >>>> > tcp 0 0 127.0.0.1:25 >>>> > 0.0.0.0:* LISTEN 2996/master >>>> > tcp 0 0 127.0.0.1:27017 >>>> > 0.0.0.0:* LISTEN 5132/mongod >>>> > tcp 0 0 127.0.0.1:3306 >>>> > 0.0.0.0:* LISTEN 2885/mysqld >>>> > tcp 0 0 127.0.0.1:3333 >>>> > 0.0.0.0:* LISTEN 8089/uwsgi >>>> > tcp 0 0 :::587 >>>> > :::* LISTEN 2623/r >>>> > >>>> > >>>> > >>>> > and this is from ossec-alerts.log >>>> > >>>> > Active Internet connections (only servers) >>>> > Proto Recv-Q Send-Q Local Address Foreign >>>> > Address State PID/Program name >>>> > tcp 0 0 0.0.0.0:22 >>>> > 0.0.0.0:* LISTEN 2743/sshd >>>> > tcp 0 0 0.0.0.0:443 >>>> > 0.0.0.0:* LISTEN 4865/nginx >>>> > tcp 0 0 0.0.0.0:587 >>>> > 0.0.0.0:* LISTEN 2623/rsyslogd >>>> > tcp 0 0 ::1:25 >>>> > :::* LISTEN 2996/master >>>> > tcp 0 0 127.0.0.1:25 >>>> > 0.0.0.0:* LISTEN 2996/master >>>> > tcp 0 0 127.0.0.1:27017 >>>> > 0.0.0.0:* LISTEN 5132/mongod >>>> > tcp 0 0 127.0.0.1:3306 >>>> > 0.0.0.0:* LISTEN 2885/mysqld >>>> > tcp 0 0 127.0.0.1:3333 >>>> > 0.0.0.0:* LISTEN 8089/uwsgi >>>> > tcp 0 0 :::587 >>>> > :::* LISTEN 2623/rsyslogd >>>> > >>>> > >>>> > >>>> > Last string from /var/ossec/logs/ossec.log >>>> > tcp 0 0 :::587 >>>> > :::* LISTEN 2623/rsyslogd >>>> > >>>> > >>>> > and last string from /var/ossec/logs/alerts/ossec-alerts >>>> > tcp 0 0 :::587 >>>> > :::* LISTEN 2623/r >>>> > >>>> > >>>> > >>>> > Also,check_diff dont works properly due this issue. >>>> > I think it's bug. >>>> > >>>> > >>>> > >>>> > My ossec is 2.8 (rpm from Atomic repo) >>>> > >>>> > part of my config: >>>> > >>>> > <localfile> >>>> > <alias>tcp_netstat</alias> >>>> > <log_format>full_command</log_format> >>>> > <command>netstat -tpln |sort</command> >>>> > </localfile> >>>> > >>>> > >>>> > >>>> > Thank you! >>>> > >>>> >>>> -- >>>> >>>> --- >>>> You received this message because you are subscribed to the Google >>>> Groups "ossec-list" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
