Hi,
I think you are confusing the "srcip" with the "location" field. The
location is where the
log came from and the srcip is only set when the log itself reports a source ip.
For example, on this SSH log:
Apr 1 05:48:09 intranet sshd[22938]: Accepted password for root from
1.2.3.4 port 22011 ssh2
The location of the log is "intranet", while the source ip is 1.2.3.4.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Mar 29, 2010 at 11:39 AM, Davide D'Amico
<davide.dam...@gmail.com> wrote:
> Thanks for your answers.
> I haven't an agent on remote hosts, I'm collecting logs to a
> centralized syslog-ng which passes events to a ossec process.
>
> d.
>
> 2010/3/29 dan (ddp) <ddp...@gmail.com>:
>> Run this message through /var/ossec/bin/ossec-logtest
>> Writing a decoder for this shouldn't be too difficult.
>> There isn't really a srcip for this event (if I'm reading it right).
>> The event looks like a local event (local to the agent that reported
>> it), so there wouldn't be a srcip involved.
>>
>> On Sun, Mar 28, 2010 at 5:15 PM, Davide D'Amico <davide.dam...@gmail.com>
>> wrote:
>>> Hi,
>>> i'm using syslog-ng to collect and centralize logs management.
>>>
>>> Syslog is configured:
>>>
>>> [...]
>>> destination d_ossec {
>>> udp(127.0.0.1, destport(1025) spoof_source(yes) template($MSG));
>>> };
>>>
>>> source s_network {
>>> udp();
>>> tcp(port(514) max-connections(1000));
>>> };
>>>
>>>
>>> log {
>>> source(s_network);
>>> filter(f_network6);
>>> destination(d_ossec);
>>> };
>>>
>>>
>>> [...]
>>>
>>> Well, I receive in syslog log file:
>>>
>>> r...@newton:/var/ossec/logs/alerts# tail -1
>>> /usr/local/logs/network7/esx.housing.tomato.lan/2010/03/28/local6.log
>>> Mar 28 21:11:33 esx.housing.tomato.lan vmkernel: 18:11:01:08.770
>>> cpu1:921599)WARNING: UserObj: 565: Failed to crossdup fd 1, fs: def5
>>> oid: 1700000003000000b type CHAR: Would block
>>>
>>> While I see in alerts.log:
>>>
>>> ** Alert 1269810692.31088430: - syslog,errors,
>>> 2010 Mar 28 23:11:32 newton->172.16.7.120
>>> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
>>> Src IP: (none)
>>> User: (none)
>>> vmkernel: 18:11:01:08.770 cpu1:921599)WARNING: UserObj: 565: Failed to
>>> crossdup fd 1, fs: def5 oid: 1700000003000000b type CHAR: Would block
>>>
>>> Why I see Src IP and User empty? I mean, I can understand an empty
>>> username (it's a remote event), but why Src IP is empty?
>>>
>>> Rule 1002 is:
>>>
>>> <rule id="1002" level="2">
>>> <match>$BAD_WORDS</match>
>>> <description>Unknown problem somewhere in the system.</description>
>>> </rule>
>>>
>>>
>>> Thanks,
>>> --
>>> d.
>>>
>>> To unsubscribe from this group, send email to
>>> ossec-list+unsubscribegooglegroups.com or reply to this email with the
>>> words "REMOVE ME" as the subject.
>>>
>>
>> To unsubscribe from this group, send email to
>> ossec-list+unsubscribegooglegroups.com or reply to this email with the words
>> "REMOVE ME" as the subject.
>>
>
>
>
> --
> d.
>
> To unsubscribe from this group, send email to
> ossec-list+unsubscribegooglegroups.com or reply to this email with the words
> "REMOVE ME" as the subject.
>
