store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Wed Nov 13, 2019 7:45 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 11 posts ] 
Author Message
 Post subject: Long messages being truncated when sent using syslog_output.
Unread postPosted: Fri Feb 15, 2019 5:28 am 
Offline
Forum User
Forum User

Joined: Fri Feb 15, 2019 3:31 am
Posts: 6
Location: Beirut
Hey all. We have some rather long messages, around 3000 characters in size. Unfortunately they are being truncated. As you can see in the image below, the end of the field is cut off.

Is it possible to increase the message limit so that they would no longer be truncated? Perhaps using something other than syslog_output?

We’re using the following Ossec 3.1 for log collection, sending messages to a CEF UDP input in Graylog 2.5.

Image


Top
 Profile  
Reply with quote  
 Post subject: Re: Long messages being truncated when sent using syslog_out
Unread postPosted: Tue Feb 19, 2019 5:03 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4087
Location: Chantilly, VA
I know in the past this limit was required because not all syslog listeners could handle messages larger than that.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Long messages being truncated when sent using syslog_out
Unread postPosted: Tue Aug 20, 2019 4:29 am 
Offline
Forum User
Forum User

Joined: Fri Feb 15, 2019 3:31 am
Posts: 6
Location: Beirut
mikeshinn wrote:
I know in the past this limit was required because not all syslog listeners could handle messages larger than that.


Is there a way to work around this? We have long messages being sent and we need them to be sent in full.


Top
 Profile  
Reply with quote  
 Post subject: Re: Long messages being truncated when sent using syslog_out
Unread postPosted: Tue Aug 20, 2019 6:58 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4087
Location: Chantilly, VA
Yes the latest version of AEO allows for setting effectively an unlimited limit, just make sure youre using the latest version of AEO.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Long messages being truncated when sent using syslog_out
Unread postPosted: Wed Sep 11, 2019 1:12 am 
Offline
Forum User
Forum User

Joined: Fri Feb 15, 2019 3:31 am
Posts: 6
Location: Beirut
mikeshinn wrote:
Yes the latest version of AEO allows for setting effectively an unlimited limit, just make sure youre using the latest version of AEO.


I am. Where do I change this setting?


Top
 Profile  
Reply with quote  
 Post subject: Re: Long messages being truncated when sent using syslog_out
Unread postPosted: Wed Sep 11, 2019 10:35 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4087
Location: Chantilly, VA
Sorry if I wasnt clear, the latest version of AEO has no limit. What version of AEO is the hub using?

Just run this command:

asl -v

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Long messages being truncated when sent using syslog_out
Unread postPosted: Tue Sep 17, 2019 6:57 am 
Offline
Forum User
Forum User

Joined: Fri Feb 15, 2019 3:31 am
Posts: 6
Location: Beirut
yum list installed | grep ossec
ossec-hids.x86_64 1:3.3.0-7006.el7.art @atomic
ossec-hids-server.x86_64 1:3.3.0-7006.el7.art @atomic


Top
 Profile  
Reply with quote  
 Post subject: Re: Long messages being truncated when sent using syslog_out
Unread postPosted: Tue Sep 17, 2019 4:35 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4087
Location: Chantilly, VA
Thats pretty old, I dont think we've put out a version of AEO using a version of OSSEC that old. Can you send me the version number for AEO with this command:

asl -v

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Long messages being truncated when sent using syslog_out
Unread postPosted: Wed Sep 18, 2019 3:54 am 
Offline
Forum User
Forum User

Joined: Fri Feb 15, 2019 3:31 am
Posts: 6
Location: Beirut
mikeshinn wrote:
Thats pretty old, I dont think we've put out a version of AEO using a version of OSSEC that old. Can you send me the version number for AEO with this command:

asl -v



It says no such command. Only Ossec is installed it seems.


Top
 Profile  
Reply with quote  
 Post subject: Re: Long messages being truncated when sent using syslog_out
Unread postPosted: Wed Sep 25, 2019 3:23 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 4087
Location: Chantilly, VA
Ah, OK si that sounds like youre just using the open source builds? If so, then you need to grab the latest source code and build from that the binary your using is quite old and it looks like youre using 3.0, whereas the source tree has patches for the upcoming 4.0 release.

If youre using the commercial version, please let me know your system should definitely not be using such an old version of OSSEC.

_________________
Michael Shinn
Atomicorp - Security For Everyone


Top
 Profile  
Reply with quote  
 Post subject: Re: Long messages being truncated when sent using syslog_out
Unread postPosted: Wed Oct 16, 2019 7:21 am 
Offline
Forum User
Forum User

Joined: Fri Feb 15, 2019 3:31 am
Posts: 6
Location: Beirut
mikeshinn wrote:
Ah, OK si that sounds like youre just using the open source builds? If so, then you need to grab the latest source code and build from that the binary your using is quite old and it looks like youre using 3.0, whereas the source tree has patches for the upcoming 4.0 release.

If youre using the commercial version, please let me know your system should definitely not be using such an old version of OSSEC.



We are using the open source version yes. Unfortunately it seems the latest tag is 3.3.0

https://github.com/ossec/ossec-hids


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group