"Non standard syslog message (size too large)"
2,007 views
Skip to first unread message
jplee3
Dec 11, 2009, 4:07:10 PM12/11/09
to ossec-list
Hey guys,
Just wondering but with the "Non standard syslog message (size too
large)" message, does this mean that OSSEC can't parse the log,
period? Is there any way to increase the limit size so that it *can*
read/parse larger messages? Also, does this only apply to syslog, or
to other logs as well?
The reason is because I'm trying to parse a custom log and it is
pretty huge... would the only other option be to pre-parse the log
first so that it's smaller and then have OSSEC look at the smaller log?
Just wondering but with the "Non standard syslog message (size too
large)" message, does this mean that OSSEC can't parse the log,
period? Is there any way to increase the limit size so that it *can*
read/parse larger messages? Also, does this only apply to syslog, or
to other logs as well?
The reason is because I'm trying to parse a custom log and it is
pretty huge... would the only other option be to pre-parse the log
first so that it's smaller and then have OSSEC look at the smaller log?
Daniel Cid
Dec 16, 2009, 2:06:13 PM12/16/09
to ossec...@googlegroups.com
Hey,
It can parse the log without problems. This message is generated by this rule:
<rule id="1003" level="13" maxsize="1025">
<description>Non standard syslog message (size too large).</description>
</rule>
So, you can ignore that rule for this specific log you are parsing or
just increase
the size for everyone... Example:
<rule id="100103" level="0">
<description>Ignoring size to large alerts for myapp.</description>
<match>myapp log</match> OR you can use <program_name>myapp</program_name>
</rule>
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
It can parse the log without problems. This message is generated by this rule:
<rule id="1003" level="13" maxsize="1025">
<description>Non standard syslog message (size too large).</description>
</rule>
So, you can ignore that rule for this specific log you are parsing or
just increase
the size for everyone... Example:
<rule id="100103" level="0">
<description>Ignoring size to large alerts for myapp.</description>
<match>myapp log</match> OR you can use <program_name>myapp</program_name>
</rule>
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
jplee3
Dec 16, 2009, 3:13:40 PM12/16/09
to ossec-list
Thanks for the tip! I didn't notice that rule at first!
Anyway, I tried increasing the maxsize to something ridiculous like
"1000000" (which should be well beyond the size of these log entries).
And I also tried creating an ignore rule (specifically for that rule
sid - 1003). But in both cases the rule still gets triggered... is
there something I'm missing?
Thanks,
Jeremy
Anyway, I tried increasing the maxsize to something ridiculous like
"1000000" (which should be well beyond the size of these log entries).
And I also tried creating an ignore rule (specifically for that rule
sid - 1003). But in both cases the rule still gets triggered... is
there something I'm missing?
Thanks,
Jeremy
Reply all
Reply to author
Forward
0 new messages