1. Daniel Cid
  2. ossec-hids
  3. Issues
Issue #21 new

Support Windows event log entries larger than 1024 bytes when forwarded as syslog messages

created an issue

With Windows 2008, it is not uncommon to have event log entries larger than 1024 bytes, sometimes much larger. With ossec-2.5.1 reading a file in syslog format containing such large Windows event log records, the events that cause an alert get truncated before being logged to /var/ossec/logs/alerts/alerts.log and then further chopped up when put into email alerts. Could an option be provided, perhaps in internal_options.conf, to set a syslog record size limit to something other than the currently hard coded 1024? You may wish to reference my chat with mstarks on this issue on #ossec starting 16:54 EST 7/13/2011. My specific setup is a Windows 2008 server running Snare which forwards event log entries via tcp syslog to syslog-ng on my OSSEC server (CentOS server). On the OSSEC server, syslog-ng writes the windows event log entries to a file that ossec watches. You may find this article about large Windows 2008 event log entries helpful: http://splunk-base.splunk.com/answers/4752/disabling-or-removing-extra-description-text-in-windows-2008-event-logs Thanks for your consideration of this request.

Comments (5)

  1. kevbranch reporter

    I am now on OSSEC release 2.6 and this issue persists. I have already increased the maxsize value in rule 1003, which is necessary to prevent rule 1003 from firing for every large Windows syslog message. However, regardless of the higher maxsize value in rule 1003, any syslog record longer than 1024 bytes triggering an OSSEC rule gets chopped off at the 1024 byte mark. So much of the event data seen in /var/ossec/logs/alerts/alerts.log is missing for such events. This appears to be a hard coded limit that I would like to be able to set high enough to not lose so much event data.

  2. mstarks01

    Take a look at src/analysisd/alerts/log.c in this section:

    void OS_LogOutput(Eventinfo *lf) { printf( " Alert %d.%ld:%s - %s\n" "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'" "%s%s%s%s%s%s%s%s%s%s\n%.1256s\n",

    Try changing 1256 to a higher number, recompile and let me know how it goes. If you use syslog or database output there may be unknown effects, so keep a backup copy of the binary just in case.

  3. Log in to comment