Hi, I think you are confusing the "srcip" with the "location" field. The location is where the log came from and the srcip is only set when the log itself reports a source ip.
For example, on this SSH log: Apr 1 05:48:09 intranet sshd[22938]: Accepted password for root from 1.2.3.4 port 22011 ssh2 The location of the log is "intranet", while the source ip is 1.2.3.4. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Mon, Mar 29, 2010 at 11:39 AM, Davide D'Amico <davide.dam...@gmail.com> wrote: > Thanks for your answers. > I haven't an agent on remote hosts, I'm collecting logs to a > centralized syslog-ng which passes events to a ossec process. > > d. > > 2010/3/29 dan (ddp) <ddp...@gmail.com>: >> Run this message through /var/ossec/bin/ossec-logtest >> Writing a decoder for this shouldn't be too difficult. >> There isn't really a srcip for this event (if I'm reading it right). >> The event looks like a local event (local to the agent that reported >> it), so there wouldn't be a srcip involved. >> >> On Sun, Mar 28, 2010 at 5:15 PM, Davide D'Amico <davide.dam...@gmail.com> >> wrote: >>> Hi, >>> i'm using syslog-ng to collect and centralize logs management. >>> >>> Syslog is configured: >>> >>> [...] >>> destination d_ossec { >>> udp(127.0.0.1, destport(1025) spoof_source(yes) template($MSG)); >>> }; >>> >>> source s_network { >>> udp(); >>> tcp(port(514) max-connections(1000)); >>> }; >>> >>> >>> log { >>> source(s_network); >>> filter(f_network6); >>> destination(d_ossec); >>> }; >>> >>> >>> [...] >>> >>> Well, I receive in syslog log file: >>> >>> r...@newton:/var/ossec/logs/alerts# tail -1 >>> /usr/local/logs/network7/esx.housing.tomato.lan/2010/03/28/local6.log >>> Mar 28 21:11:33 esx.housing.tomato.lan vmkernel: 18:11:01:08.770 >>> cpu1:921599)WARNING: UserObj: 565: Failed to crossdup fd 1, fs: def5 >>> oid: 1700000003000000b type CHAR: Would block >>> >>> While I see in alerts.log: >>> >>> ** Alert 1269810692.31088430: - syslog,errors, >>> 2010 Mar 28 23:11:32 newton->172.16.7.120 >>> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' >>> Src IP: (none) >>> User: (none) >>> vmkernel: 18:11:01:08.770 cpu1:921599)WARNING: UserObj: 565: Failed to >>> crossdup fd 1, fs: def5 oid: 1700000003000000b type CHAR: Would block >>> >>> Why I see Src IP and User empty? I mean, I can understand an empty >>> username (it's a remote event), but why Src IP is empty? >>> >>> Rule 1002 is: >>> >>> <rule id="1002" level="2"> >>> <match>$BAD_WORDS</match> >>> <description>Unknown problem somewhere in the system.</description> >>> </rule> >>> >>> >>> Thanks, >>> -- >>> d. >>> >>> To unsubscribe from this group, send email to >>> ossec-list+unsubscribegooglegroups.com or reply to this email with the >>> words "REMOVE ME" as the subject. >>> >> >> To unsubscribe from this group, send email to >> ossec-list+unsubscribegooglegroups.com or reply to this email with the words >> "REMOVE ME" as the subject. >> > > > > -- > d. > > To unsubscribe from this group, send email to > ossec-list+unsubscribegooglegroups.com or reply to this email with the words > "REMOVE ME" as the subject. >