With Windows 2008, it is not uncommon to have event log entries larger than 1024 bytes, sometimes much larger. With ossec-2.5.1 reading a file in syslog format containing such large Windows event log records, the events that cause an alert get truncated before being logged to /var/ossec/logs/alerts/alerts.log and then further chopped up when put into email alerts. Could an option be provided, perhaps in internal_options.conf, to set a syslog record size limit to something other than the currently hard coded 1024? You may wish to reference my chat with mstarks on this issue on #ossec starting 16:54 EST 7/13/2011. My specific setup is a Windows 2008 server running Snare which forwards event log entries via tcp syslog to syslog-ng on my OSSEC server (CentOS server). On the OSSEC server, syslog-ng writes the windows event log entries to a file that ossec watches. You may find this article about large Windows 2008 event log entries helpful: http://splunk-base.splunk.com/answers/4752/disabling-or-removing-extra-description-text-in-windows-2008-event-logs Thanks for your consideration of this request.
Issue #21 new