> My initial attempt (on Redhat and clones) has been to use process monitoring on the "rpm -qa | sort" command periodically along check_diff to alert on changes. > For some systems, especially desktops that can have thousands of installed packages in our environment, it seems that there are too many characters are being returned by the rpm command and output is getting truncated,
Had the same issue. I found the problem was that expect, by default, only stores results in chunks of 2k bytes. Each new byte past that can push the previous block out. Solution from the expect man page was to raise the match_max buffer: This worked for me: --- agentless/ssh_generic_diff.orig 2016-06-29 13:30:22.037845309 +0000 +++ agentless/ssh_generic_diff 2016-06-29 13:32:09.089277014 +0000 @@ -31,6 +31,7 @@ set timeout 600 +match_max 51200 send_user "INFO: Starting.\n" send_user "\nSTORE: now\n" I recommend that the ossec maintainers add "match_max 2000" (the default) into the script so that people can easily tweak or debug it to their liking, and/or set it to a higher value (2k seems a pretty low default). -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
