Truncated alerts

[calve]

Hi.

I have some alerts witch gets truncated like so :

ossec: output: 'netstat -tanp |grep LISTEN |grep -v 127.0.0.1 | sort | sed -e 's/ [0-9]*\///'':
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     sshd
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN     master
tcp        0      0 0.0.0.0:4505            0.0.0.0:*               LISTEN     python
tcp        0      0 0.0.0.0:4506            0.0.0.0:*               LISTEN     python
tcp6       0      0 :::22                   :::*                    LISTEN     sshd
tcp6       0      0 :::25                   :::*                    LISTEN     master
tcp6       0      0 :::80                   :::*                    LISTEN     apache2
tcp6       0      0 :::9000                 :::*                    LISTEN     java
tcp6       0      0 :::9200                 :::*                    LISTEN     java
tcp6       0      0 :::9300                 :::*                    LISTEN     java
tcp6       0      0 :::9301                 :::*                    LISTEN     java
Previous output:
ossec: output: 'netstat -tanp |grep LISTEN |grep -v 127.0.0.1 | sort | sed -e 's/ [0-9]*\///'':
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     sshd
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN     smtpd
tcp        0      0 0.0.0.0:4505            0.0.0.0:*               LISTEN     python
tcp        0      0 0.0.0.0:4506            0.0.0.0:*               LISTEN     python
tcp6       0      0 :::22                   :::*                    LISTEN     sshd
tcp6       0      0 :::25                   :::*                    LISTEN     smtpd

Witch count for 1236 char.
So Previous output sections gets truncated by an hard-coded limit in src/analysisd/alerts/log.c at line 196

    printf(
           "** Alert %d.%ld:%s - %s\n"
            "%d %s %02d %s %s%s%s\nRule: %d (level %d) -> '%s'"
            "%s%s%s%s%s%s%s%s%s%s%s%s%s%s\n%.1256s\n",
            lf->time,
            __crt_ftell,
            lf->generated_rule->alert_opts & DO_MAILALERT?" mail ":"",
            lf->generated_rule->group,
            …)

What prevent us to apply this patch and rise the 1256 limit of the printf ?

[jrossi]

@calve Nothing other time no one has picked up the work and done it. Please do so it should be a simple pull request and would be accepted quickly (my guess). If you need a hand with anything let us know.

[ChristianBeer]

See #455 for another possible solution. Raising the limit is not ideal because to what limit should we raise it and is this sufficient in the future? The mail alert should only give a first overview from where the admin can start digging into the log files.

[axot]

We are considering to use the following command

netstat -46ln | awk '{print substr($0,0,6), substr($0,20,48)}' | gzip -n -9 | base64

[calve]

Quoting http://marc.info/?l=ossec-dev&m=134550679026814&w=2

The content of alerts.log may be forwarded to syslog server where there may
be size limitation.
We need to be careful here.

But it looks like syslog output is done in src/os_csyslogd/alert.c, so unsetting the length limit in analysisd should not have impact. Correct ?