Hi all,
I'm new to administering OSSEC and am having an issue with Rule 1003. I've
been tasked with replacing our existing 2.5.1 with the 2.9 version provided
by Debian stable. I have installed OSSEC and copied our logs / config over
to the new machine. I have a blank agent.conf file on the server so the
clients should not be downloading new config from the server.
I have migrated machines to the new server (changed the server IP, deleted
the rids files, restarted the services and the clients connected ok) and am
now getting rule 1003 (event log entry too long) fired whenever anyone logs
in. We have busy servers, so this is happening a lot. I am not able to tell
why the new server is firing these rules when the old one did not: Client
config is the same, server config appears to be the same.
Could anyone please help me track this one down? At the moment I'm thinking
that the rule was not working on our 2.5.1 installation, and that it has
begun working on the later version, but I cannot see that this has been
configured like this. On both I have the following config, and no other
mention of this rule:
<rule id="1003" level="13" maxsize="1025">
<description>Non standard syslog message (size too large).</description>
</rule>
Any help greatly appreciated, thanks,
Joseph
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
