Rule 1003 cannot be overwritten about ossec-hids HOT 13 CLOSED

Could attache an example that you expect to work? I am not getting the same issue.

from ossec-hids.

I'll try to remember to dig something up when I get back to work on Monday.

from ossec-hids.

Here's a sample alert that tripped it:

OSSEC HIDS Notification.
2014 Mar 07 09:38:16

Received From: HOSTNAME->/data/logs/HOSTNAME/HOSTNAME.log
Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)."
Portion of the log(s):

Mar  7 09:39:14 HOSTNAME Outlook: 45: Outlook loaded the following add-in(s): Name: Microsoft Exchange Add-in Description: Exchange support for Unified Messaging, e-mail permission rules, and calendar availability. ProgID: UmOutlookAddin.FormRegionAddin GUID: {F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3} Load Behavior: 03 HKLM: 1 Location: C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\UmOutlookAddin.dll Boot Time (Milliseconds): 202 Name: TeamViewer Meeting Add-In Description: Schedule TeamViewer meetings in your calendar. ProgID: TeamViewerOutlookAddIn GUID: {A04A9CCE-4C17-4270-A1E2-4EDB0F752235} Load Behavior: 03 HKLM: 1 Location: mscoree.dll Boot Time (Milliseconds): 3744 Name: MM VFRegisterAddin Description: MM Outlook Addin for registering voiceform ProgID: OutlookVFRegisterAddin.Connect GUID: {B0FCF33D-02D7-48AB-B065-5179C48969E6} Load Behavior: 03 HKLM: 1 Location: C:\Program Files (x86)\BLA BLA\Client\bla bla.dll Boot Time (Milliseconds): 998 Name: MM Outlook UI Addin Description: MM Outlook Addin for UI controls ProgID: OutlookUIAddin.Addin GUID: {2FAA93CC-BB4F-4D4A-9657-258C1DEC2FE2} Load Behavior: 03 HKLM: 1 Location: C:\Program Files (x86)\BLA BLA\Client\bla bla.dll Boot 



 --END OF NOTIFICATION

And here's the rule in local_rules.xml:

<rule id="1003" level="13" maxsize="304900" overwrite="yes">
  <description>Non standard syslog message (size too large).</description>
</rule>

from ossec-hids.

Editing the rule directly also does not work, so it would appear that that the maxsize value has no effect.

from ossec-hids.

For me it works, just make sure you have it inside <group name="local,syslog,"> !

For example add it before the ending tag:

<rule id="1003" level="3" maxsize="4010" overwrite="yes">
    <description>Non standard syslog message (size too large).</description>
  </rule>


</group> <!-- SYSLOG,LOCAL -->```

from ossec-hids.

Just wanted to add an update that this still doesn't work on a new install.

.. has no effect. That would have to be one big log!

from ossec-hids.

Another data point: if the overwrite rule is set to 0, it will indeed stop alerting. But the issue is that maxsize in the overwrite rule has no effect.

In this case, ossec.log will still record a copy of the message prepended with something like this: 2015/11/19 13:22:52 ossec-logcollector: Large message size(length=5887):

from ossec-hids.

I can confirm that this is still an issue.

All error/event logs coming from Windows machines that hit this rule repeatedly will trigger the message. Changing the maxsize has no noticeable effect, either in the syslog_rules.xml or adding a new entry in the local_rules.xml file.

I've added some test messages that trigger the error regardless of size set. Each message is (2428, 1027, 5024 bytes respectively)

2016 May 11 14:39:41 WinEvtLog: Application: INFORMATION(3010): MSExchange ADAccess: (no user): no domain: EXHANGE-1234.net: Process MSExchangeMailboxReplication.exe (MSExchMbxRepl) (PID=9876). Current policies: PolicyType:ResourcePolicy;None:Discretionary:2147483645:2147483646:2147483647;None:InternalMaintenance:2147483645:2147483646:2147483647;None:CustomerExpectation:2147483645:2147483646:2147483647;None:Urgent:2147483645:2147483646:2147483647;;ActiveDirectoryReplicationLatency:MaxConcurrency:32767;ActiveDirectoryReplicationLatency:Discretionary:5:20:45;ActiveDirectoryReplicationLatency:InternalMaintenance:5:25:45;ActiveDirectoryReplicationLatency:CustomerExpectation:5:30:50;ActiveDirectoryReplicationLatency:Urgent:5:60:100;;MdbLatency:MaxConcurrency:10;MdbLatency:Discretionary:10000:20000:70000;MdbLatency:InternalMaintenance:10000:20000:70000;MdbLatency:CustomerExpectation:15000:30000:70000;MdbLatency:Urgent:25000:50000:100000;;Processor:MaxConcurrency:32767;Processor:Discretionary:70:80:100;Processor:InternalMaintenance:75:85:100;Processor:CustomerExpectation:80:90:100;Processor:Urgent:100:100:100;;MdbReplication:MaxConcurrency:10;MdbReplication:Discretionary:2097152:6291456:52428800;MdbReplication:InternalMaintenance:2097152:6291456:52428800;MdbReplication:CustomerExpectation:2097152:6291456:52428800;MdbReplication:Urgent:2097152:6291456:52428800;;CiAgeOfLastNotification:MaxConcurrency:32767;CiAgeOfLastNotification:Discretionary:60:180:240;CiAgeOfLastNotification:InternalMaintenance:120:180:300;CiAgeOfLastNotification:CustomerExpectation:180:240:600;CiAgeOfLastNotification:Urgent:240:300:600;;CiRetryQueueSize:MaxConcurrency:32767;CiRetryQueueSize:Discretionary:10000000:11000000:12000000;CiRetryQueueSize:InternalMaintenance:10000000:11000000:12000000;CiRetryQueueSize:CustomerExpectation:10000000:11000000:12000000;CiRetryQueueSize:Urgent:10000000:11000000:12000000;;MdbAvailability:MaxConcurrency:10;MdbAvailability:Discretionary:11534336:105906176:1048576000;MdbAvailability:InternalMaintenance:11534336:105906176:1048576000;MdbAvailability:CustomerExpectation:11534336:105906176:1048576000;MdbAvailability:Urgent:11534336:105906176:1048576000;;Remote:MaxConcurrency:10;Remote:Discretionary:2147483645:2147483646:2147483647;Remote:InternalMaintenance:2147483645:2147483646:2147483647;Remote:CustomerExpectation:2147483645:2147483646:2147483647;Remote:Urgent:2147483645:2147483646:2147483647;

2016 May 16 10:34:12 WinEvtLog: Security: AUDIT_SUCCESS(4648): Microsoft-Windows-Security-Auditing: (no user): no domain: EXHANGE-1234.net: A logon was attempted using explicit credentials. Subject: Security ID: S-1-2-34 Account Name: EXCHANGE$ Account Domain: CLEANEDDOMAIN Logon ID: 0x123 Logon GUID: {00000000-0000-0000-0000-000000000000} Account Whose Credentials Were Used: Account Name: ACCOUNTNAMEHASH Account Domain: 1234.NET Logon GUID: {00000000-0000-0000-0000-000000000000} Target Server: Target Server Name: EXCHANGE.1234.net Additional Information: HTTP/EXCHANGE.1234.net Process Information: Process ID: 0xe48 Process Name: C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeHMWorker.exe Network Information: Network Address: - Port: - This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

2016 May 16 10:35:11 WinEvtLog: Application: ERROR(65535): Application: (no user): no domain: EXHANGE-1234.net: <TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord"; Severity="Error"><TraceIdentifier>http://msdn.microsoft.com/en-US/library/System.ServiceModel.Channels.TcpConnectionResetError.aspx</TraceIdentifier><Description>The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:01:00'. The local IP address and port is [::1]:12345. The remote IP address and port is [::1]:678.</Description><AppDomain>MSExchangeFrontendTransport.exe</AppDomain><ExtendedData xmlns="http://schemas.microsoft.com/2006/08/ServiceModel/MessageTraceRecord"></ExtendedData><Exception><ExceptionType>System.ServiceModel.CommunicationException, System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>The socket connection was aborted. This could be caused by an error processing your message or a receive timeout being exceeded by the remote host, or an underlying network resource issue. Local socket timeout was '00:01:00'.</Message><StackTrace> at System.ServiceModel.Channels.SocketConnection.ConvertTransferException(SocketException socketException, TimeSpan timeout, Exception originalException, TransferOperation transferOperation, Boolean aborted, String timeoutErrorString, TransferOperation timeoutErrorTransferOperation, SocketConnection socketConnection, TimeSpan remainingTime) at System.ServiceModel.Channels.SocketConnection.ConvertSendException(SocketException socketException, TimeSpan remainingTime) at System.ServiceModel.Channels.SocketConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout) at System.ServiceModel.Channels.BufferedConnection.WriteNow(Byte[] buffer, Int32 offset, Int32 size, TimeSpan timeout, BufferManager bufferManager) at System.ServiceModel.Channels.BufferedConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout) at System.ServiceModel.Channels.ConnectionStream.Write(Byte[] buffer, Int32 offset, Int32 count) at System.Net.Security.NegotiateStream.StartWriting(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.NegotiateStream.ProcessWrite(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest) at System.Net.Security.NegotiateStream.Write(Byte[] buffer, Int32 offset, Int32 count) at System.ServiceModel.Channels.StreamConnection.Write(Byte[] buffer, Int32 offset, Int32 size, Boolean immediate, TimeSpan timeout) at System.ServiceModel.Channels.FramingDuplexSessionChannel.CloseOutputSessionCore(TimeSpan timeout) at System.ServiceModel.Channels.TransportDuplexSessionChannel.CloseOutputSession(TimeSpan timeout) at System.ServiceModel.Channels.TransportDuplexSessionChannel.OnClose(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Close(TimeSpan timeout) at System.ServiceModel.Channels.ServiceChannel.OnClose(TimeSpan timeout) at System.ServiceModel.Channels.CommunicationObject.Close(TimeSpan timeout) at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor) at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments) at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture) at System.ServiceModel.Channels.ServiceChannelProxy.ExecuteMessage(Object target, IMethodCallMessage methodCall) at System.ServiceModel.Channels.ServiceChannelProxy.InvokeChannel(IMethodCallMessage methodCall) at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp;amp; msgData, Int32 type) at System.ServiceModel.ICommunicationObject.Close() at Microsoft.Exchange.Net.WcfUtils.DisposeWcfClientGracefully(ICommunicationObject client, Boolean skipDispose) at Microsoft.Exchange.Net.ServiceProxyPool1.GetClient(Boolean useCache)
at Microsoft.Exchange.Net.ServiceProxyPool1.TryCallServiceWithRetry(Action1 action, String debugMessage, WCFConnectionStateTuple proxyToUse, Int32 numberOfRetries, Boolean doNotReturnProxyOnSuccess, Exception& exception)
at Microsoft.Exchange.Data.Directory.ServiceTopologyProvider.GetTopologyVersions(IList1 partitionFqdns) at Microsoft.Exchange.Data.Directory.TopologyProvider.GetTopologyVersion(String partitionFqdn) at Microsoft.Exchange.Data.Directory.ConnectionPoolManager.CheckTopologyVersionForRebuild() at Microsoft.Exchange.Data.Directory.ConnectionPoolManager.GetConnection(ConnectionType connectionType, String partitionFqdn, ADObjectId domain, String serverName, Int32 port, NetworkCredential credential) at Microsoft.Exchange.Data.Directory.ConnectionPoolManager.GetConnection(ConnectionType connectionType, String partitionFqdn) at M

from ossec-hids.

I see (without changing the rule):

**Phase 1: Completed pre-decoding.
       full event: '2016 May 11 14:39:41 WinEvtLog: Application: INFORMATION(3010): MSExchange ADAccess: (no user): no domain: EXHANGE-1234.net: Process MSExchangeMailboxReplication.exe (MSExchMbxRepl) (PID=9876). Current policies: PolicyType:ResourcePolicy;None:Discretionary:2147483645:2147483646:2147483647;None:InternalMaintenance:2147483645:2147483646:2147483647;None:CustomerExpectation:2147483645:2147483646:2147483647;None:Urgent:2147483645:2147483646:2147483647;;ActiveDirectoryReplicationLatency:MaxConcurrency:32767;ActiveDirectoryReplicationLatency:Discretionary:5:20:45;ActiveDirectoryReplicationLatency:InternalMaintenance:5:25:45;ActiveDirectoryReplicationLatency:CustomerExpectation:5:30:50;ActiveDirectoryReplicationLatency:Urgent:5:60:100;;MdbLatency:MaxConcurrency:10;MdbLatency:Discretionary:10000:20000:70000;MdbLatency:InternalMaintenance:10000:20000:70000;MdbLatency:CustomerExpectation:15000:30000:70000;MdbLatency:Urgent:25000:50000:100000;;Processor:MaxConcurrency:32767;Processor:Discretionary:70:80:100;Processor:InternalMaintenance:75:85:100;Processor:CustomerExpectation:80:90:100;Processor:Urgent:100:100:100;;MdbReplication:MaxConcurrency:10;MdbReplication:Discretionary:2097152:6291456:52428800;MdbReplication:InternalMaintenance:2097152:6291456:52428800;MdbReplication:CustomerExpectation:2097152:6291456:52428800;MdbReplication:Urgent:2097152:6291456:52428800;;CiAgeOfLastNotification:MaxConcurrency:32767;CiAgeOfLastNotification:Discretionary:60:180:240;CiAgeOfLastNotification:InternalMaintenance:120:180:300;CiAgeOfLastNotification:CustomerExpectation:180:240:600;CiAgeOfLastNotification:Urgent:240:300:600;;CiRetryQueueSize:MaxConcurrency:32767;CiRetryQueueSize:Discretionary:10000000:11000000:12000000;CiRetryQueueSize:InternalMaintenance:10000000:11000000:12000000;CiRetryQueueSize:CustomerExpectation:10000000:11000000:12000000;CiRetryQueueSize:Urgent:10000000:11000000:12000000;;MdbAvailability:MaxConcurrency:10;MdbAvailability:Discretionary:11534336:105906176:1048576000;MdbAvailability:InternalMaintenance:11534336:105906176:1048576000;MdbAvailability:CustomerExpectation:11534336:105906176:1048576000;MdbAvailability:Urgent:11534336:105906176:1048576000;;Remote:MaxConcurrency:10;Remote:Discretionary:2147483645:2147483646:2147483647;Remote:InternalMaintenance:2147483645:2147483646:2147483647;Remote:CustomerExpectation:2147483645:2147483646:2147483647;Remote:Urgent:2147483645:2147483646:2147483647;'
       hostname: 'ix'
       program_name: 'WinEvtLog'
       log: 'Application: INFORMATION(3010): MSExchange ADAccess: (no user): no domain: EXHANGE-1234.net: Process MSExchangeMailboxReplication.exe (MSExchMbxRepl) (PID=9876). Current policies: PolicyType:ResourcePolicy;None:Discretionary:2147483645:2147483646:2147483647;None:InternalMaintenance:2147483645:2147483646:2147483647;None:CustomerExpectation:2147483645:2147483646:2147483647;None:Urgent:2147483645:2147483646:2147483647;;ActiveDirectoryReplicationLatency:MaxConcurrency:32767;ActiveDirectoryReplicationLatency:Discretionary:5:20:45;ActiveDirectoryReplicationLatency:InternalMaintenance:5:25:45;ActiveDirectoryReplicationLatency:CustomerExpectation:5:30:50;ActiveDirectoryReplicationLatency:Urgent:5:60:100;;MdbLatency:MaxConcurrency:10;MdbLatency:Discretionary:10000:20000:70000;MdbLatency:InternalMaintenance:10000:20000:70000;MdbLatency:CustomerExpectation:15000:30000:70000;MdbLatency:Urgent:25000:50000:100000;;Processor:MaxConcurrency:32767;Processor:Discretionary:70:80:100;Processor:InternalMaintenance:75:85:100;Processor:CustomerExpectation:80:90:100;Processor:Urgent:100:100:100;;MdbReplication:MaxConcurrency:10;MdbReplication:Discretionary:2097152:6291456:52428800;MdbReplication:InternalMaintenance:2097152:6291456:52428800;MdbReplication:CustomerExpectation:2097152:6291456:52428800;MdbReplication:Urgent:2097152:6291456:52428800;;CiAgeOfLastNotification:MaxConcurrency:32767;CiAgeOfLastNotification:Discretionary:60:180:240;CiAgeOfLastNotification:InternalMaintenance:120:180:300;CiAgeOfLastNotification:CustomerExpectation:180:240:600;CiAgeOfLastNotification:Urgent:240:300:600;;CiRetryQueueSize:MaxConcurrency:32767;CiRetryQueueSize:Discretionary:10000000:11000000:12000000;CiRetryQueueSize:InternalMaintenance:10000000:11000000:12000000;CiRetryQueueSize:CustomerExpectation:10000000:11000000:12000000;CiRetryQueueSize:Urgent:10000000:11000000:12000000;;MdbAvailability:MaxConcurrency:10;MdbAvailability:Discretionary:11534336:105906176:1048576000;MdbAvailability:InternalMaintenance:11534336:105906176:1048576000;MdbAvailability:CustomerExpectation:11534336:105906176:1048576000;MdbAvailability:Urgent:11534336:105906176:1048576000;;Remote:MaxConcurrency:10;Remote:Discretionary:2147483645:2147483646:2147483647;Remote:InternalMaintenance:2147483645:2147483646:2147483647;Remote:CustomerExpectation:2147483645:2147483646:2147483647;Remote:Urgent:2147483645:2147483646:2147483647;'

**Phase 2: Completed decoding.
       No decoder matched.

**Phase 3: Completed filtering (rules).
       Rule id: '1003'
       Level: '13'
       Description: 'Non standard syslog message (size too large).'
**Alert to be generated.

After changing the rule:

**Phase 1: Completed pre-decoding.
       full event: '2016 May 11 14:39:41 WinEvtLog: Application: INFORMATION(3010): MSExchange ADAccess: (no user): no domain: EXHANGE-1234.net: Process MSExchangeMailboxReplication.exe (MSExchMbxRepl) (PID=9876). Current policies: PolicyType:ResourcePolicy;None:Discretionary:2147483645:2147483646:2147483647;None:InternalMaintenance:2147483645:2147483646:2147483647;None:CustomerExpectation:2147483645:2147483646:2147483647;None:Urgent:2147483645:2147483646:2147483647;;ActiveDirectoryReplicationLatency:MaxConcurrency:32767;ActiveDirectoryReplicationLatency:Discretionary:5:20:45;ActiveDirectoryReplicationLatency:InternalMaintenance:5:25:45;ActiveDirectoryReplicationLatency:CustomerExpectation:5:30:50;ActiveDirectoryReplicationLatency:Urgent:5:60:100;;MdbLatency:MaxConcurrency:10;MdbLatency:Discretionary:10000:20000:70000;MdbLatency:InternalMaintenance:10000:20000:70000;MdbLatency:CustomerExpectation:15000:30000:70000;MdbLatency:Urgent:25000:50000:100000;;Processor:MaxConcurrency:32767;Processor:Discretionary:70:80:100;Processor:InternalMaintenance:75:85:100;Processor:CustomerExpectation:80:90:100;Processor:Urgent:100:100:100;;MdbReplication:MaxConcurrency:10;MdbReplication:Discretionary:2097152:6291456:52428800;MdbReplication:InternalMaintenance:2097152:6291456:52428800;MdbReplication:CustomerExpectation:2097152:6291456:52428800;MdbReplication:Urgent:2097152:6291456:52428800;;CiAgeOfLastNotification:MaxConcurrency:32767;CiAgeOfLastNotification:Discretionary:60:180:240;CiAgeOfLastNotification:InternalMaintenance:120:180:300;CiAgeOfLastNotification:CustomerExpectation:180:240:600;CiAgeOfLastNotification:Urgent:240:300:600;;CiRetryQueueSize:MaxConcurrency:32767;CiRetryQueueSize:Discretionary:10000000:11000000:12000000;CiRetryQueueSize:InternalMaintenance:10000000:11000000:12000000;CiRetryQueueSize:CustomerExpectation:10000000:11000000:12000000;CiRetryQueueSize:Urgent:10000000:11000000:12000000;;MdbAvailability:MaxConcurrency:10;MdbAvailability:Discretionary:11534336:105906176:1048576000;MdbAvailability:InternalMaintenance:11534336:105906176:1048576000;MdbAvailability:CustomerExpectation:11534336:105906176:1048576000;MdbAvailability:Urgent:11534336:105906176:1048576000;;Remote:MaxConcurrency:10;Remote:Discretionary:2147483645:2147483646:2147483647;Remote:InternalMaintenance:2147483645:2147483646:2147483647;Remote:CustomerExpectation:2147483645:2147483646:2147483647;Remote:Urgent:2147483645:2147483646:2147483647;'
       hostname: 'ix'
       program_name: 'WinEvtLog'
       log: 'Application: INFORMATION(3010): MSExchange ADAccess: (no user): no domain: EXHANGE-1234.net: Process MSExchangeMailboxReplication.exe (MSExchMbxRepl) (PID=9876). Current policies: PolicyType:ResourcePolicy;None:Discretionary:2147483645:2147483646:2147483647;None:InternalMaintenance:2147483645:2147483646:2147483647;None:CustomerExpectation:2147483645:2147483646:2147483647;None:Urgent:2147483645:2147483646:2147483647;;ActiveDirectoryReplicationLatency:MaxConcurrency:32767;ActiveDirectoryReplicationLatency:Discretionary:5:20:45;ActiveDirectoryReplicationLatency:InternalMaintenance:5:25:45;ActiveDirectoryReplicationLatency:CustomerExpectation:5:30:50;ActiveDirectoryReplicationLatency:Urgent:5:60:100;;MdbLatency:MaxConcurrency:10;MdbLatency:Discretionary:10000:20000:70000;MdbLatency:InternalMaintenance:10000:20000:70000;MdbLatency:CustomerExpectation:15000:30000:70000;MdbLatency:Urgent:25000:50000:100000;;Processor:MaxConcurrency:32767;Processor:Discretionary:70:80:100;Processor:InternalMaintenance:75:85:100;Processor:CustomerExpectation:80:90:100;Processor:Urgent:100:100:100;;MdbReplication:MaxConcurrency:10;MdbReplication:Discretionary:2097152:6291456:52428800;MdbReplication:InternalMaintenance:2097152:6291456:52428800;MdbReplication:CustomerExpectation:2097152:6291456:52428800;MdbReplication:Urgent:2097152:6291456:52428800;;CiAgeOfLastNotification:MaxConcurrency:32767;CiAgeOfLastNotification:Discretionary:60:180:240;CiAgeOfLastNotification:InternalMaintenance:120:180:300;CiAgeOfLastNotification:CustomerExpectation:180:240:600;CiAgeOfLastNotification:Urgent:240:300:600;;CiRetryQueueSize:MaxConcurrency:32767;CiRetryQueueSize:Discretionary:10000000:11000000:12000000;CiRetryQueueSize:InternalMaintenance:10000000:11000000:12000000;CiRetryQueueSize:CustomerExpectation:10000000:11000000:12000000;CiRetryQueueSize:Urgent:10000000:11000000:12000000;;MdbAvailability:MaxConcurrency:10;MdbAvailability:Discretionary:11534336:105906176:1048576000;MdbAvailability:InternalMaintenance:11534336:105906176:1048576000;MdbAvailability:CustomerExpectation:11534336:105906176:1048576000;MdbAvailability:Urgent:11534336:105906176:1048576000;;Remote:MaxConcurrency:10;Remote:Discretionary:2147483645:2147483646:2147483647;Remote:InternalMaintenance:2147483645:2147483646:2147483647;Remote:CustomerExpectation:2147483645:2147483646:2147483647;Remote:Urgent:2147483645:2147483646:2147483647;'

**Phase 2: Completed decoding.
       No decoder matched.

What I added to my local_rules.xml:

  <rule id="1003" level="13" maxsize="4096" overwrite="yes">
    <description>Non standard syslog message (size too large).</description>
  </rule>

from ossec-hids.

Ok, I did finally manage to get this working with the comment help above. Thank you.

echo "2016 May 11 14:39:41 WinEvtLog: Application: INFORMATION(3010): MSExchange ADAccess: (no user): no domain: EXHANGE-1234.net: Process MSExchangeMailboxReplication.exe (MSExchMbxRepl) (PID=9876). Current policies: PolicyType:ResourcePolicy;None:Discretionary:2147483645:2147483646:2147483647;None:InternalMaintenance:2147483645:2147483646:2147483647;None:CustomerExpectation:2147483645:2147483646:2147483647;None:Urgent:2147483645:2147483646:2147483647;;ActiveDirectoryReplicationLatency:MaxConcurrency:32767;ActiveDirectoryReplicationLatency:Discretionary:5:20:45;ActiveDirectoryReplicationLatency:InternalMaintenance:5:25:45;ActiveDirectoryReplicationLatency:CustomerExpectation:5:30:50;ActiveDirectoryReplicationLatency:Urgent:5:60:100;;MdbLatency:MaxConcurrency:10;MdbLatency:Discretionary:10000:20000:70000;MdbLatency:InternalMaintenance:10000:20000:70000;MdbLatency:CustomerExpectation:15000:30000:70000;MdbLatency:Urgent:25000:50000:100000;;Processor:MaxConcurrency:32767;Processor:Discretionary:70:80:100;Processor:InternalMaintenance:75:85:100;Processor:CustomerExpectation:80:90:100;Processor:Urgent:100:100:100;;MdbReplication:MaxConcurrency:10;MdbReplication:Discretionary:2097152:6291456:52428800;MdbReplication:InternalMaintenance:2097152:6291456:52428800;MdbReplication:CustomerExpectation:2097152:6291456:52428800;MdbReplication:Urgent:2097152:6291456:52428800;;CiAgeOfLastNotification:MaxConcurrency:32767;CiAgeOfLastNotification:Discretionary:60:180:240;CiAgeOfLastNotification:InternalMaintenance:120:180:300;CiAgeOfLastNotification:CustomerExpectation:180:240:600;CiAgeOfLastNotification:Urgent:240:300:600;;CiRetryQueueSize:MaxConcurrency:32767;CiRetryQueueSize:Discretionary:10000000:11000000:12000000;CiRetryQueueSize:InternalMaintenance:10000000:11000000:12000000;CiRetryQueueSize:CustomerExpectation:10000000:11000000:12000000;CiRetryQueueSize:Urgent:10000000:11000000:12000000;;MdbAvailability:MaxConcurrency:10;MdbAvailability:Discretionary:11534336:105906176:1048576000;MdbAvailability:InternalMaintenance:11534336:105906176:1048576000;MdbAvailability:CustomerExpectation:11534336:105906176:1048576000;MdbAvailability:Urgent:11534336:105906176:1048576000;;Remote:MaxConcurrency:10;Remote:Discretionary:2147483645:2147483646:2147483647;Remote:InternalMaintenance:2147483645:2147483646:2147483647;Remote:CustomerExpectation:2147483645:2147483646:2147483647;Remote:Urgent:2147483645:2147483646:2147483647;" | /var/ossec/bin/ossec-logtest -v

I think the issue may be with the JSON output. Despite the additions to the local_rules.xml file the JSON still lists Non standard syslog message (size too large) message. It's like the JSON formatter/parser is not respecting the local_rules.xml file. (this may be a separate issue all together)

from ossec-hids.

And how do I solve JSON? I already applied the local rule and it still does not work, I still generate the events.

from ossec-hids.

@ellococareloco What version of OSSEC are you using? Where are you seeing the issue? Can you give me a sample?

from ossec-hids.

here you go. Still happens for my mastodon JSON logging in OSSEC 3.1.0 , i had already tried to put into local_rules.xml:

<rule id="1003" level="13" maxsize="2000" overwrite="yes"> <description>Non standard syslog message (size too large).</description> </rule>

however, i still receive such alerts for messages of ~1250 chars :

Received From: (mastodon) xxx.xxx.xxx.xxx->/var/log/syslog Rule: 1003 fired (level 13) -> "Non standard syslog message (size too large)." Portion of the log(s): Feb 4 08:15:37 mastodon bundle[1037]: 2019-02-04T07:15:37.155Z 1037 TID-ovd90mvop WARN: {"context":"Job raised exception","job":{"class":"ActivityPub:eliveryWorker","args":["{\"@context\":[\"https://www.w3.org/ns/activitystreams\",\"https://w3id.org/security/v1\",{\"manuallyApprovesFollowers\":\"as:manuallyApprovesFollowers\",\"sensitive\":\"as:sensitive\",\"movedTo\":{\"@id\":\"as:movedTo\",\"@type\":\"@id\"},\"alsoKnownAs\":{\"@id\":\"as:alsoKnownAs\",\"@type\":\"@id\"},\"Hashtag\":\"as:Hashtag\",\"ostatus\":\"http://ostatus.org#\",\"atomUri\":\"ostatus:atomUri\",\"inReplyToAtomUri\":\"ostatus:inReplyToAtomUri\",\"conversation\":\"ostatus:conversation\",\"toot\":\"http://joinmastodon.org/ns#\",\"Emoji\":\"toot:Emoji\",\"focalPoint\":{\"@container\":\"@list\",\"@id\":\"toot:focalPoint\"},\"featured\":{\"@id\":\"toot:featured\",\"@type\":\"@id\"},\"schema\":\"http://schema.org#\",\"PropertyValue\":\"schemaropertyValue\",\"value\":\"schema:value\"}],\"id\":\"https://xxxxxxxxx.xxxxxx/users/itnewsbot/statuses/12345678912345678/activity\",\"type\":\"Create\",\"actor\":\"https://xxxxxxxxx.xxxxxx/users/itnewsbot\",\"published\":\"2019-02-04T07:15:05Z\",\"to\":[\"https://www.w3.org/ns/activitystreams#Public\"],\"cc\":[\"https://xxxxxxxxx.xxxxxx --END OF NOTIFICATION

thanks for any help in fixing this.

from ossec-hids.