Max message length in alerts log (1256)
46 views
Skip to first unread message
Florian Crouzat
May 10, 2012, 8:14:52 AM5/10/12
to osse...@googlegroups.com
Hi,
For a really specific purpose I'd like to log full message in
alerts.log. I do have full log-line in archives.log ; but these lines
are truncated around 1250 chars in alerts.log
Actually, looking at the source for ossec 1.6, I see that it's hardcoded
in the log function for alerts.
$ fgrep OS_LogOutput -A5 ~/ossec-hids-2.6/src/analysisd/alerts/log.c
void OS_LogOutput(Eventinfo *lf)
{
printf(
"** Alert %d.%ld:%s - %s\n"
"%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'"
"%s%s%s%s%s%s%s%s%s%s\n%.1256s\n",
Is there a plan to make it configurable ? Maybe through
/var/ossec/etc/internal_options.conf ?
--
Cheers,
Florian Crouzat
For a really specific purpose I'd like to log full message in
alerts.log. I do have full log-line in archives.log ; but these lines
are truncated around 1250 chars in alerts.log
Actually, looking at the source for ossec 1.6, I see that it's hardcoded
in the log function for alerts.
$ fgrep OS_LogOutput -A5 ~/ossec-hids-2.6/src/analysisd/alerts/log.c
void OS_LogOutput(Eventinfo *lf)
{
printf(
"** Alert %d.%ld:%s - %s\n"
"%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'"
"%s%s%s%s%s%s%s%s%s%s\n%.1256s\n",
Is there a plan to make it configurable ? Maybe through
/var/ossec/etc/internal_options.conf ?
--
Cheers,
Florian Crouzat
Florian Crouzat
Aug 21, 2012, 3:50:40 AM8/21/12
to JB Cheng, osse...@googlegroups.com
Le 21/08/2012 01:42, JB Cheng a écrit :
> The content of alerts.log may be forwarded to syslog server where there
> may be size limitation.
> We need to be careful here.
>
> Would you try changing 1256 below to a larger number and test it first?
> "%s%s%s%s%s%s%s%s%s%s\n%.1256s\n",
I did the ugliest thing and it worked.
I couldn't recompile ossec at the time so I binary edited
/var/ossec/bin/ossec-analysisd with vim -b and replaced 1256 with 8192,
works like a charm.
So I guess it means it works, patching the source would be lot cleaner ;)
--
Cheers,
Florian Crouzat
> The content of alerts.log may be forwarded to syslog server where there
> may be size limitation.
> We need to be careful here.
>
> Would you try changing 1256 below to a larger number and test it first?
> "%s%s%s%s%s%s%s%s%s%s\n%.1256s\n",
I did the ugliest thing and it worked.
I couldn't recompile ossec at the time so I binary edited
/var/ossec/bin/ossec-analysisd with vim -b and replaced 1256 with 8192,
works like a charm.
So I guess it means it works, patching the source would be lot cleaner ;)
Cheers,
Florian Crouzat
Reply all
Reply to author
Forward
0 new messages