Netstat changes not showing previous output on JSON logs

[joaopsys]

I'm using OSSEC with JSON logs, and whenever I google OSSEC's netstat changes, I always see log examples followed by the previous netstat output, which makes total sense so we can know exactly what ports were opened/closed.

I'm not seeing that previous output on the JSON logs, is this intended?

{"rule":{"level":7,"comment":"Listened ports status (netstat) changed (new port opened or closed).","sidid":533,"group":"ossec,"},"id":"1499219780.484842","TimeStamp":1499219780000,"decoder":"ossec","location":"(xxx.xxx.xxx.xxx) 10.66.0.12->netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort","full_log":"ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':\ntcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN \ntcp 0 0 :::111 :::* LISTEN \ntcp 0 0 :::2049 :::* LISTEN \ntcp 0 0 :::22 :::* LISTEN \ntcp 0 0 :::45720 :::* LISTEN \ntcp 0 0 :::54242 :::* LISTEN \ntcp 0 0 :::5666 :::* LISTEN ","hostname":"(xxx.xxx.xxx.xxx) 10.66.0.12->netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort"}

[ddpbsd]

I don't know how it's supposed to be handled in the json log. It might just be a limited space issue. You could try to find any differences in what is written in the alerts.log file and compare it to what's written in the alerts.json file. Maybe something is left out in the case of the netstat command.

[joaopsys]

I should've done that already, my bad.
I omitted some ports from my json logs above, but I'll post the full result in both formats right now:

Original .log (it also seems to be trimmed, running netstat on the server gives me more than 20 lines, while this one has 14, and the last line is not even complete)

** Alert 1499219780.4848425: mail  - ossec,
2017 Jul 05 02:56:20 (xxx.xxx.xxx.xxx) 10.66.0.12->netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort
Rule: 533 (level 7) -> 'Listened ports status (netstat) changed (new port opened or closed).'
ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp        0      0 0.0.0.0:110                 0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:143                 0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:2049                0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:35974               0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:38970               0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:45967               0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:46099               0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:56998               0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:5
Previous output:
ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':
tcp        0      0 0.0.0.0:110                 0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:143                 0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:2049                0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:21                  0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:35974               0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:38970               0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:45967               0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:46099               0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:56998               0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:5

JSON log:

{"rule":{"level":7,"comment":"Listened ports status (netstat) changed (new port opened or closed).","sidid":533,"group":"ossec,"},"id":"1499219780.484842","TimeStamp":1499219780000,"decoder":"ossec","location":"(xxx.xxx.xxx.xxx) 10.66.0.12->netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort","full_log":"ossec: output: 'netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort':\ntcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:35974 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:38970 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:45967 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:46099 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:56998 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:875 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:9000 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN \ntcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN \ntcp 0 0 :::111 :::* LISTEN \ntcp 0 0 :::2049 :::* LISTEN \ntcp 0 0 :::22 :::* LISTEN \ntcp 0 0 :::45720 :::* LISTEN \ntcp 0 0 :::54242 :::* LISTEN \ntcp 0 0 :::5666 :::* LISTEN \ntcp 0 0 :::57209 :::* LISTEN \ntcp 0 0 :::60504 :::* LISTEN \ntcp 0 0 :::60642 :::* LISTEN ","hostname":"(xxx.xxx.xxx.xxx) 10.66.0.12->netstat -tan |grep LISTEN |grep -v 127.0.0.1 | sort"}

Both logs are clearly different and both are being trimmed. I'm using JSON logs because they're easier to parse, and it would help a lot if I had the full output. Is there any configurable variable that defines the character limit or something along those lines?

[ddpbsd]

They all get trimmed a bit. There are hard coded buffer sizes in the code. You'd have to modify them.
It's on the long list of things to look into eventually, but I haven't had the chance to see what breaks when those things are modified

[joaopsys]

Yeah I just found issue #473

I will play around with the limits on src/analysisd/alerts/log.c and see what I can achieve.

[joaopsys]

The limits are fine for me, since they don't affect the JSON output.

What's really missing is just the previous output, since the full_log contains all of my netstat output

Trying to fix this with #1184