New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rule 1003 cannot be overwritten #174
Comments
Could attache an example that you expect to work? I am not getting the same issue. |
I'll try to remember to dig something up when I get back to work on Monday. |
Here's a sample alert that tripped it:
And here's the rule in local_rules.xml:
|
Editing the rule directly also does not work, so it would appear that that the maxsize value has no effect. |
For me it works, just make sure you have it inside For example add it before the ending tag:
|
Just wanted to add an update that this still doesn't work on a new install. Non standard syslog message (size too large)... has no effect. That would have to be one big log! |
Another data point: if the overwrite rule is set to 0, it will indeed stop alerting. But the issue is that maxsize in the overwrite rule has no effect. In this case, ossec.log will still record a copy of the message prepended with something like this: 2015/11/19 13:22:52 ossec-logcollector: Large message size(length=5887): |
I can confirm that this is still an issue. All error/event logs coming from Windows machines that hit this rule repeatedly will trigger the message. Changing the maxsize has no noticeable effect, either in the syslog_rules.xml or adding a new entry in the local_rules.xml file. I've added some test messages that trigger the error regardless of size set. Each message is (2428, 1027, 5024 bytes respectively)
|
I see (without changing the rule):
After changing the rule:
What I added to my local_rules.xml:
|
Ok, I did finally manage to get this working with the comment help above. Thank you.
I think the issue may be with the JSON output. Despite the additions to the local_rules.xml file the JSON still lists Non standard syslog message (size too large) message. It's like the JSON formatter/parser is not respecting the local_rules.xml file. (this may be a separate issue all together) |
And how do I solve JSON? I already applied the local rule and it still does not work, I still generate the events. |
@ellococareloco What version of OSSEC are you using? Where are you seeing the issue? Can you give me a sample? |
here you go. Still happens for my mastodon JSON logging in OSSEC 3.1.0 , i had already tried to put into local_rules.xml:
however, i still receive such alerts for messages of ~1250 chars :
thanks for any help in fixing this. |
Specifically, using the overwrite=yes and increasing the maxsize attribute to something larger than the problem log line has no effect. It might also be that changing this attribute and not overwriting this rule is also broken. I have not tried that.
The text was updated successfully, but these errors were encountered: