Support Windows event log entries larger than 1024 bytes when forwarded as syslog messages
With Windows 2008, it is not uncommon to have event log entries larger than 1024 bytes, sometimes much larger. With ossec-2.5.1 reading a file in syslog format containing such large Windows event log records, the events that cause an alert get truncated before being logged to /var/ossec/logs/alerts/alerts.log and then further chopped up when put into email alerts. Could an option be provided, perhaps in internal_options.conf, to set a syslog record size limit to something other than the currently hard coded 1024? You may wish to reference my chat with mstarks on this issue on #ossec starting 16:54 EST 7/13/2011. My specific setup is a Windows 2008 server running Snare which forwards event log entries via tcp syslog to syslog-ng on my OSSEC server (CentOS server). On the OSSEC server, syslog-ng writes the windows event log entries to a file that ossec watches. You may find this article about large Windows 2008 event log entries helpful: http://splunk-base.splunk.com/answers/4752/disabling-or-removing-extra-description-text-in-windows-2008-event-logs Thanks for your consideration of this request.