Re: [ossec-list] syslog-ng and fields in log file
Hi,
I think you are confusing the srcip with the location field. The
location is where the
log came from and the srcip is only set when the log itself reports a source ip.
For example, on this SSH log:
Apr 1 05:48:09 intranet sshd[22938]: Accepted password for root from
1.2.3.4 port 22011 ssh2
The location of the log is intranet, while the source ip is 1.2.3.4.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On Mon, Mar 29, 2010 at 11:39 AM, Davide D'Amico
davide.dam...@gmail.com wrote:
Thanks for your answers.
I haven't an agent on remote hosts, I'm collecting logs to a
centralized syslog-ng which passes events to a ossec process.
d.
2010/3/29 dan (ddp) ddp...@gmail.com:
Run this message through /var/ossec/bin/ossec-logtest
Writing a decoder for this shouldn't be too difficult.
There isn't really a srcip for this event (if I'm reading it right).
The event looks like a local event (local to the agent that reported
it), so there wouldn't be a srcip involved.
On Sun, Mar 28, 2010 at 5:15 PM, Davide D'Amico davide.dam...@gmail.com
wrote:
Hi,
i'm using syslog-ng to collect and centralize logs management.
Syslog is configured:
[...]
destination d_ossec {
udp(127.0.0.1, destport(1025) spoof_source(yes) template($MSG));
};
source s_network {
udp();
tcp(port(514) max-connections(1000));
};
log {
source(s_network);
filter(f_network6);
destination(d_ossec);
};
[...]
Well, I receive in syslog log file:
r...@newton:/var/ossec/logs/alerts# tail -1
/usr/local/logs/network7/esx.housing.tomato.lan/2010/03/28/local6.log
Mar 28 21:11:33 esx.housing.tomato.lan vmkernel: 18:11:01:08.770
cpu1:921599)WARNING: UserObj: 565: Failed to crossdup fd 1, fs: def5
oid: 17000300b type CHAR: Would block
While I see in alerts.log:
** Alert 1269810692.31088430: - syslog,errors,
2010 Mar 28 23:11:32 newton-172.16.7.120
Rule: 1002 (level 2) - 'Unknown problem somewhere in the system.'
Src IP: (none)
User: (none)
vmkernel: 18:11:01:08.770 cpu1:921599)WARNING: UserObj: 565: Failed to
crossdup fd 1, fs: def5 oid: 17000300b type CHAR: Would block
Why I see Src IP and User empty? I mean, I can understand an empty
username (it's a remote event), but why Src IP is empty?
Rule 1002 is:
rule id=1002 level=2
match$BAD_WORDS/match
descriptionUnknown problem somewhere in the system./description
/rule
Thanks,
--
d.
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the
words REMOVE ME as the subject.
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
REMOVE ME as the subject.
--
d.
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
REMOVE ME as the subject.
Re: [ossec-list] syslog-ng and fields in log file
Hi,
the reason for this is that OSSEC can not make anything of this message
you should look at the vmware decoder in /var/ossec/etc/decoder.xml and change
it so it will pick up this message.
cheers,
W
On 28 Mar 2010, at 23:15, Davide D'Amico wrote:
Hi,
i'm using syslog-ng to collect and centralize logs management.
Syslog is configured:
[...]
destination d_ossec {
udp(127.0.0.1, destport(1025) spoof_source(yes) template($MSG));
};
source s_network {
udp();
tcp(port(514) max-connections(1000));
};
log {
source(s_network);
filter(f_network6);
destination(d_ossec);
};
[...]
Well, I receive in syslog log file:
r...@newton:/var/ossec/logs/alerts# tail -1
/usr/local/logs/network7/esx.housing.tomato.lan/2010/03/28/local6.log
Mar 28 21:11:33 esx.housing.tomato.lan vmkernel: 18:11:01:08.770
cpu1:921599)WARNING: UserObj: 565: Failed to crossdup fd 1, fs: def5
oid: 17000300b type CHAR: Would block
While I see in alerts.log:
** Alert 1269810692.31088430: - syslog,errors,
2010 Mar 28 23:11:32 newton-172.16.7.120
Rule: 1002 (level 2) - 'Unknown problem somewhere in the system.'
Src IP: (none)
User: (none)
vmkernel: 18:11:01:08.770 cpu1:921599)WARNING: UserObj: 565: Failed to
crossdup fd 1, fs: def5 oid: 17000300b type CHAR: Would block
Why I see Src IP and User empty? I mean, I can understand an empty
username (it's a remote event), but why Src IP is empty?
Rule 1002 is:
rule id=1002 level=2
match$BAD_WORDS/match
descriptionUnknown problem somewhere in the system./description
/rule
Thanks,
--
d.
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
REMOVE ME as the subject.
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
REMOVE ME as the subject.
Re: [ossec-list] syslog-ng and fields in log file
Run this message through /var/ossec/bin/ossec-logtest
Writing a decoder for this shouldn't be too difficult.
There isn't really a srcip for this event (if I'm reading it right).
The event looks like a local event (local to the agent that reported
it), so there wouldn't be a srcip involved.
On Sun, Mar 28, 2010 at 5:15 PM, Davide D'Amico davide.dam...@gmail.com wrote:
Hi,
i'm using syslog-ng to collect and centralize logs management.
Syslog is configured:
[...]
destination d_ossec {
udp(127.0.0.1, destport(1025) spoof_source(yes) template($MSG));
};
source s_network {
udp();
tcp(port(514) max-connections(1000));
};
log {
source(s_network);
filter(f_network6);
destination(d_ossec);
};
[...]
Well, I receive in syslog log file:
r...@newton:/var/ossec/logs/alerts# tail -1
/usr/local/logs/network7/esx.housing.tomato.lan/2010/03/28/local6.log
Mar 28 21:11:33 esx.housing.tomato.lan vmkernel: 18:11:01:08.770
cpu1:921599)WARNING: UserObj: 565: Failed to crossdup fd 1, fs: def5
oid: 17000300b type CHAR: Would block
While I see in alerts.log:
** Alert 1269810692.31088430: - syslog,errors,
2010 Mar 28 23:11:32 newton-172.16.7.120
Rule: 1002 (level 2) - 'Unknown problem somewhere in the system.'
Src IP: (none)
User: (none)
vmkernel: 18:11:01:08.770 cpu1:921599)WARNING: UserObj: 565: Failed to
crossdup fd 1, fs: def5 oid: 17000300b type CHAR: Would block
Why I see Src IP and User empty? I mean, I can understand an empty
username (it's a remote event), but why Src IP is empty?
Rule 1002 is:
rule id=1002 level=2
match$BAD_WORDS/match
descriptionUnknown problem somewhere in the system./description
/rule
Thanks,
--
d.
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
REMOVE ME as the subject.
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
REMOVE ME as the subject.
Re: [ossec-list] syslog-ng and fields in log file
Thanks for your answers.
I haven't an agent on remote hosts, I'm collecting logs to a
centralized syslog-ng which passes events to a ossec process.
d.
2010/3/29 dan (ddp) ddp...@gmail.com:
Run this message through /var/ossec/bin/ossec-logtest
Writing a decoder for this shouldn't be too difficult.
There isn't really a srcip for this event (if I'm reading it right).
The event looks like a local event (local to the agent that reported
it), so there wouldn't be a srcip involved.
On Sun, Mar 28, 2010 at 5:15 PM, Davide D'Amico davide.dam...@gmail.com
wrote:
Hi,
i'm using syslog-ng to collect and centralize logs management.
Syslog is configured:
[...]
destination d_ossec {
udp(127.0.0.1, destport(1025) spoof_source(yes) template($MSG));
};
source s_network {
udp();
tcp(port(514) max-connections(1000));
};
log {
source(s_network);
filter(f_network6);
destination(d_ossec);
};
[...]
Well, I receive in syslog log file:
r...@newton:/var/ossec/logs/alerts# tail -1
/usr/local/logs/network7/esx.housing.tomato.lan/2010/03/28/local6.log
Mar 28 21:11:33 esx.housing.tomato.lan vmkernel: 18:11:01:08.770
cpu1:921599)WARNING: UserObj: 565: Failed to crossdup fd 1, fs: def5
oid: 17000300b type CHAR: Would block
While I see in alerts.log:
** Alert 1269810692.31088430: - syslog,errors,
2010 Mar 28 23:11:32 newton-172.16.7.120
Rule: 1002 (level 2) - 'Unknown problem somewhere in the system.'
Src IP: (none)
User: (none)
vmkernel: 18:11:01:08.770 cpu1:921599)WARNING: UserObj: 565: Failed to
crossdup fd 1, fs: def5 oid: 17000300b type CHAR: Would block
Why I see Src IP and User empty? I mean, I can understand an empty
username (it's a remote event), but why Src IP is empty?
Rule 1002 is:
rule id=1002 level=2
match$BAD_WORDS/match
descriptionUnknown problem somewhere in the system./description
/rule
Thanks,
--
d.
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
REMOVE ME as the subject.
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
REMOVE ME as the subject.
--
d.
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
REMOVE ME as the subject.
