Hi JM, I think you are confusing it a bit. The logformat in the "localfile" configuration is only used to tell ossec how to read the logs, not anything else. In fact, the apache, squid, syslog fields act the same in there (all one entry per line logs)...
What determines the "category" of them is the decoder. If the decoder reads a PIX log, it will set it to the "firewall" category or if it reads a apache log, it will set it as web_log (look at the decoders.xml and the type tags). Regarding your log, our decoder is not treating it properly as a firewall because it has an additional hostname in there. > Sep 28 10:21:21 10.2.103.1 Sep 28 2007 10:21:21 firewall-hostname : > %ASA-2-106001: Inbound TCP connection denied from 216.239.51.104/80 to > 1.2.3.4/56713 flags PSH ACK on interface outside We support the PIX date format, but not an additional hostname. Take a look at the following link: http://www.ossec.net/wiki/index.php/PIX_and_IOS_Syslog_Config_examples#Configuring_PIX *btw, you can keep the additional timestamp in there, but not the extra hostname. Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 9/28/07, ubahmapk <[EMAIL PROTECTED]> wrote: > > This is a question I've been wondering: what logformat value should be > used for a firewall rule, if it isn't syslog? I checked the source in > localfile-config.c and I don't see any value there that indicates this > is possible. The only values I see are: syslog, snort-full, snort- > fast, apache, iis, squid, nmapg, and EVENTLOG. I can see where > Philipp could change his logformat to apache or iis (since he is > concerned with a webserver), but I'm getting 1002 on all my firewall > entries, too. > > A bit of background: we use syslog-ng as our syslog server instead of > the built-in ossec syslog server because syslog-ng gives us the > ability to break out our logs into separate files which is a great > help when we are manually examining the logs during troubleshooting. > I've added the files to be watched in the ossec.conf as syslog files. > > A sample log entrie looks like: > > Sep 28 10:21:21 10.2.103.1 Sep 28 2007 10:21:21 firewall-hostname : > %ASA-2-106001: Inbound TCP connection denied from 216.239.51.104/80 to > 1.2.3.4/56713 flags PSH ACK on interface outside > > The first timestamp is the time on the syslog server and the second > timestamp is from the original host. This allows some correlation if > the time is off[1] > > Granted, I haven't been using OSSEC for very long and have a lot of > reading in front of me, but I haven't found much in the way of > logformat options. Despite the fact that I plastered everywhere that > OSSEC supports such and such. Are all these supposed to go into > syslog format? And does OSSEC have a problem with running a seperate > syslog server? > > Thanks for all your help. > > JM > > [1] yes we use NTP for time, but sometimes things go wrong and this > double entry for time has proven to be a great help to us in the past. > > On Sep 27, 8:03 pm, "Daniel Cid" <[EMAIL PROTECTED]> wrote: > > Hi Philipp, > > > > Sorry for the late reply... Catching up on e-mails :) > > > > Your web servers logs should not be checked against rule 1002, which > > is exclusive to > > syslog messages. Internally, on ossec, we separate the logs per > > category (weblog, syslog, proxy, firewall, etc) and it wouldn't match > > Apache logs against syslog ones, unless the > > apachelogis not being decoded properly. > > > > Can you show us a sample from your logs? Are they in a different > > format than the default > > apache one? > > > > Thanks, > > > > -- > > Daniel B. Cid > > dcid ( at ) ossec.net > >