Is it possible to increase the message limit so that they would no longer be truncated? Perhaps using something other than syslog_output?
We’re using the following Ossec 3.1 for log collection, sending messages to a CEF UDP input in Graylog 2.5.

Is there a way to work around this? We have long messages being sent and we need them to be sent in full.mikeshinn wrote:I know in the past this limit was required because not all syslog listeners could handle messages larger than that.
I am. Where do I change this setting?mikeshinn wrote:Yes the latest version of AEO allows for setting effectively an unlimited limit, just make sure youre using the latest version of AEO.
mikeshinn wrote:Thats pretty old, I dont think we've put out a version of AEO using a version of OSSEC that old. Can you send me the version number for AEO with this command:
asl -v
mikeshinn wrote:Ah, OK si that sounds like youre just using the open source builds? If so, then you need to grab the latest source code and build from that the binary your using is quite old and it looks like youre using 3.0, whereas the source tree has patches for the upcoming 4.0 release.
If youre using the commercial version, please let me know your system should definitely not be using such an old version of OSSEC.