Truncated alerts #473

calve · 2014-12-29T16:51:27Z

Hi.

I have some alerts witch gets truncated like so :

ossec: output: 'netstat -tanp |grep LISTEN |grep -v 127.0.0.1 | sort | sed -e 's/ [0-9]*\///'':
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     sshd
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN     master
tcp        0      0 0.0.0.0:4505            0.0.0.0:*               LISTEN     python
tcp        0      0 0.0.0.0:4506            0.0.0.0:*               LISTEN     python
tcp6       0      0 :::22                   :::*                    LISTEN     sshd
tcp6       0      0 :::25                   :::*                    LISTEN     master
tcp6       0      0 :::80                   :::*                    LISTEN     apache2
tcp6       0      0 :::9000                 :::*                    LISTEN     java
tcp6       0      0 :::9200                 :::*                    LISTEN     java
tcp6       0      0 :::9300                 :::*                    LISTEN     java
tcp6       0      0 :::9301                 :::*                    LISTEN     java
Previous output:
ossec: output: 'netstat -tanp |grep LISTEN |grep -v 127.0.0.1 | sort | sed -e 's/ [0-9]*\///'':
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     sshd
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN     smtpd
tcp        0      0 0.0.0.0:4505            0.0.0.0:*               LISTEN     python
tcp        0      0 0.0.0.0:4506            0.0.0.0:*               LISTEN     python
tcp6       0      0 :::22                   :::*                    LISTEN     sshd
tcp6       0      0 :::25                   :::*                    LISTEN     smtpd

Witch count for 1236 char.
So Previous output sections gets truncated by an hard-coded limit in src/analysisd/alerts/log.c at line 196

    printf(
           "** Alert %d.%ld:%s - %s\n"
            "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'"
            "%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n%.1256s\n",
            lf->time,
            __crt_ftell,
            lf->generated_rule->alert_opts & DO_MAILALERT?" mail ":"",
            lf->generated_rule->group,
            …)

What prevent us to apply this patch and rise the 1256 limit of the printf ?

The text was updated successfully, but these errors were encountered:

jrossi · 2015-01-05T03:46:31Z

@calve Nothing other time no one has picked up the work and done it. Please do so it should be a simple pull request and would be accepted quickly (my guess). If you need a hand with anything let us know.

ChristianBeer · 2015-01-05T07:49:55Z

See #455 for another possible solution. Raising the limit is not ideal because to what limit should we raise it and is this sufficient in the future? The mail alert should only give a first overview from where the admin can start digging into the log files.

axot · 2016-03-29T06:20:37Z

We are considering to use the following command

netstat -46ln | awk '{print substr($0,0,6), substr($0,20,48)}' | gzip -n -9 | base64

calve · 2016-04-20T14:12:03Z

Quoting http://marc.info/?l=ossec-dev&m=134550679026814&w=2

The content of alerts.log may be forwarded to syslog server where there may
be size limitation.
We need to be careful here.

But it looks like syslog output is done in src/os_csyslogd/alert.c, so unsetting the length limit in analysisd should not have impact. Correct ?

calve changed the title ~~Alerts truncated~~ Truncated alerts Dec 29, 2014

jrossi added the enhancement label Jan 5, 2015

joaopsys mentioned this issue Jul 8, 2017

Netstat changes not showing previous output on JSON logs #1180

Closed

cm405d mentioned this issue Aug 2, 2017

Windows Events Truncated When Forwarding via CEF #1214

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Truncated alerts #473

Truncated alerts #473

calve commented Dec 29, 2014

jrossi commented Jan 5, 2015

ChristianBeer commented Jan 5, 2015

axot commented Mar 29, 2016

calve commented Apr 20, 2016

Truncated alerts #473

Truncated alerts #473

Comments

calve commented Dec 29, 2014

jrossi commented Jan 5, 2015

ChristianBeer commented Jan 5, 2015

axot commented Mar 29, 2016

calve commented Apr 20, 2016