Long messages being truncated when sent using syslog_output.

Support/Development for OSSEC
GureenRyuu
Forum User
Forum User
Posts: 6
Joined: Fri Feb 15, 2019 3:31 am
Location: Beirut

Long messages being truncated when sent using syslog_output.

Unread post by GureenRyuu »

Hey all. We have some rather long messages, around 3000 characters in size. Unfortunately they are being truncated. As you can see in the image below, the end of the field is cut off.

Is it possible to increase the message limit so that they would no longer be truncated? Perhaps using something other than syslog_output?

We’re using the following Ossec 3.1 for log collection, sending messages to a CEF UDP input in Graylog 2.5.

Image
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4119
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Long messages being truncated when sent using syslog_out

Unread post by mikeshinn »

I know in the past this limit was required because not all syslog listeners could handle messages larger than that.
GureenRyuu
Forum User
Forum User
Posts: 6
Joined: Fri Feb 15, 2019 3:31 am
Location: Beirut

Re: Long messages being truncated when sent using syslog_out

Unread post by GureenRyuu »

mikeshinn wrote:I know in the past this limit was required because not all syslog listeners could handle messages larger than that.
Is there a way to work around this? We have long messages being sent and we need them to be sent in full.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4119
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Long messages being truncated when sent using syslog_out

Unread post by mikeshinn »

Yes the latest version of AEO allows for setting effectively an unlimited limit, just make sure youre using the latest version of AEO.
GureenRyuu
Forum User
Forum User
Posts: 6
Joined: Fri Feb 15, 2019 3:31 am
Location: Beirut

Re: Long messages being truncated when sent using syslog_out

Unread post by GureenRyuu »

mikeshinn wrote:Yes the latest version of AEO allows for setting effectively an unlimited limit, just make sure youre using the latest version of AEO.
I am. Where do I change this setting?
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4119
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Long messages being truncated when sent using syslog_out

Unread post by mikeshinn »

Sorry if I wasnt clear, the latest version of AEO has no limit. What version of AEO is the hub using?

Just run this command:

asl -v
GureenRyuu
Forum User
Forum User
Posts: 6
Joined: Fri Feb 15, 2019 3:31 am
Location: Beirut

Re: Long messages being truncated when sent using syslog_out

Unread post by GureenRyuu »

yum list installed | grep ossec
ossec-hids.x86_64 1:3.3.0-7006.el7.art @atomic
ossec-hids-server.x86_64 1:3.3.0-7006.el7.art @atomic
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4119
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Long messages being truncated when sent using syslog_out

Unread post by mikeshinn »

Thats pretty old, I dont think we've put out a version of AEO using a version of OSSEC that old. Can you send me the version number for AEO with this command:

asl -v
GureenRyuu
Forum User
Forum User
Posts: 6
Joined: Fri Feb 15, 2019 3:31 am
Location: Beirut

Re: Long messages being truncated when sent using syslog_out

Unread post by GureenRyuu »

mikeshinn wrote:Thats pretty old, I dont think we've put out a version of AEO using a version of OSSEC that old. Can you send me the version number for AEO with this command:

asl -v

It says no such command. Only Ossec is installed it seems.
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4119
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: Long messages being truncated when sent using syslog_out

Unread post by mikeshinn »

Ah, OK si that sounds like youre just using the open source builds? If so, then you need to grab the latest source code and build from that the binary your using is quite old and it looks like youre using 3.0, whereas the source tree has patches for the upcoming 4.0 release.

If youre using the commercial version, please let me know your system should definitely not be using such an old version of OSSEC.
GureenRyuu
Forum User
Forum User
Posts: 6
Joined: Fri Feb 15, 2019 3:31 am
Location: Beirut

Re: Long messages being truncated when sent using syslog_out

Unread post by GureenRyuu »

mikeshinn wrote:Ah, OK si that sounds like youre just using the open source builds? If so, then you need to grab the latest source code and build from that the binary your using is quite old and it looks like youre using 3.0, whereas the source tree has patches for the upcoming 4.0 release.

If youre using the commercial version, please let me know your system should definitely not be using such an old version of OSSEC.

We are using the open source version yes. Unfortunately it seems the latest tag is 3.3.0

https://github.com/ossec/ossec-hids
Post Reply