Re: [ossec-list] syslog-ng and fields in log file
Hi, I think you are confusing the srcip with the location field. The location is where the log came from and the srcip is only set when the log itself reports a source ip. For example, on this SSH log: Apr 1 05:48:09 intranet sshd[22938]: Accepted password for root from 1.2.3.4 port 22011 ssh2 The location of the log is intranet, while the source ip is 1.2.3.4. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Mon, Mar 29, 2010 at 11:39 AM, Davide D'Amico davide.dam...@gmail.com wrote: Thanks for your answers. I haven't an agent on remote hosts, I'm collecting logs to a centralized syslog-ng which passes events to a ossec process. d. 2010/3/29 dan (ddp) ddp...@gmail.com: Run this message through /var/ossec/bin/ossec-logtest Writing a decoder for this shouldn't be too difficult. There isn't really a srcip for this event (if I'm reading it right). The event looks like a local event (local to the agent that reported it), so there wouldn't be a srcip involved. On Sun, Mar 28, 2010 at 5:15 PM, Davide D'Amico davide.dam...@gmail.com wrote: Hi, i'm using syslog-ng to collect and centralize logs management. Syslog is configured: [...] destination d_ossec { udp(127.0.0.1, destport(1025) spoof_source(yes) template($MSG)); }; source s_network { udp(); tcp(port(514) max-connections(1000)); }; log { source(s_network); filter(f_network6); destination(d_ossec); }; [...] Well, I receive in syslog log file: r...@newton:/var/ossec/logs/alerts# tail -1 /usr/local/logs/network7/esx.housing.tomato.lan/2010/03/28/local6.log Mar 28 21:11:33 esx.housing.tomato.lan vmkernel: 18:11:01:08.770 cpu1:921599)WARNING: UserObj: 565: Failed to crossdup fd 1, fs: def5 oid: 17000300b type CHAR: Would block While I see in alerts.log: ** Alert 1269810692.31088430: - syslog,errors, 2010 Mar 28 23:11:32 newton-172.16.7.120 Rule: 1002 (level 2) - 'Unknown problem somewhere in the system.' Src IP: (none) User: (none) vmkernel: 18:11:01:08.770 cpu1:921599)WARNING: UserObj: 565: Failed to crossdup fd 1, fs: def5 oid: 17000300b type CHAR: Would block Why I see Src IP and User empty? I mean, I can understand an empty username (it's a remote event), but why Src IP is empty? Rule 1002 is: rule id=1002 level=2 match$BAD_WORDS/match descriptionUnknown problem somewhere in the system./description /rule Thanks, -- d. To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject. To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject. -- d. To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject.
Re: [ossec-list] syslog-ng and fields in log file
Hi, the reason for this is that OSSEC can not make anything of this message you should look at the vmware decoder in /var/ossec/etc/decoder.xml and change it so it will pick up this message. cheers, W On 28 Mar 2010, at 23:15, Davide D'Amico wrote: Hi, i'm using syslog-ng to collect and centralize logs management. Syslog is configured: [...] destination d_ossec { udp(127.0.0.1, destport(1025) spoof_source(yes) template($MSG)); }; source s_network { udp(); tcp(port(514) max-connections(1000)); }; log { source(s_network); filter(f_network6); destination(d_ossec); }; [...] Well, I receive in syslog log file: r...@newton:/var/ossec/logs/alerts# tail -1 /usr/local/logs/network7/esx.housing.tomato.lan/2010/03/28/local6.log Mar 28 21:11:33 esx.housing.tomato.lan vmkernel: 18:11:01:08.770 cpu1:921599)WARNING: UserObj: 565: Failed to crossdup fd 1, fs: def5 oid: 17000300b type CHAR: Would block While I see in alerts.log: ** Alert 1269810692.31088430: - syslog,errors, 2010 Mar 28 23:11:32 newton-172.16.7.120 Rule: 1002 (level 2) - 'Unknown problem somewhere in the system.' Src IP: (none) User: (none) vmkernel: 18:11:01:08.770 cpu1:921599)WARNING: UserObj: 565: Failed to crossdup fd 1, fs: def5 oid: 17000300b type CHAR: Would block Why I see Src IP and User empty? I mean, I can understand an empty username (it's a remote event), but why Src IP is empty? Rule 1002 is: rule id=1002 level=2 match$BAD_WORDS/match descriptionUnknown problem somewhere in the system./description /rule Thanks, -- d. To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject. To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject.
Re: [ossec-list] syslog-ng and fields in log file
Run this message through /var/ossec/bin/ossec-logtest Writing a decoder for this shouldn't be too difficult. There isn't really a srcip for this event (if I'm reading it right). The event looks like a local event (local to the agent that reported it), so there wouldn't be a srcip involved. On Sun, Mar 28, 2010 at 5:15 PM, Davide D'Amico davide.dam...@gmail.com wrote: Hi, i'm using syslog-ng to collect and centralize logs management. Syslog is configured: [...] destination d_ossec { udp(127.0.0.1, destport(1025) spoof_source(yes) template($MSG)); }; source s_network { udp(); tcp(port(514) max-connections(1000)); }; log { source(s_network); filter(f_network6); destination(d_ossec); }; [...] Well, I receive in syslog log file: r...@newton:/var/ossec/logs/alerts# tail -1 /usr/local/logs/network7/esx.housing.tomato.lan/2010/03/28/local6.log Mar 28 21:11:33 esx.housing.tomato.lan vmkernel: 18:11:01:08.770 cpu1:921599)WARNING: UserObj: 565: Failed to crossdup fd 1, fs: def5 oid: 17000300b type CHAR: Would block While I see in alerts.log: ** Alert 1269810692.31088430: - syslog,errors, 2010 Mar 28 23:11:32 newton-172.16.7.120 Rule: 1002 (level 2) - 'Unknown problem somewhere in the system.' Src IP: (none) User: (none) vmkernel: 18:11:01:08.770 cpu1:921599)WARNING: UserObj: 565: Failed to crossdup fd 1, fs: def5 oid: 17000300b type CHAR: Would block Why I see Src IP and User empty? I mean, I can understand an empty username (it's a remote event), but why Src IP is empty? Rule 1002 is: rule id=1002 level=2 match$BAD_WORDS/match descriptionUnknown problem somewhere in the system./description /rule Thanks, -- d. To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject. To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject.
Re: [ossec-list] syslog-ng and fields in log file
Thanks for your answers. I haven't an agent on remote hosts, I'm collecting logs to a centralized syslog-ng which passes events to a ossec process. d. 2010/3/29 dan (ddp) ddp...@gmail.com: Run this message through /var/ossec/bin/ossec-logtest Writing a decoder for this shouldn't be too difficult. There isn't really a srcip for this event (if I'm reading it right). The event looks like a local event (local to the agent that reported it), so there wouldn't be a srcip involved. On Sun, Mar 28, 2010 at 5:15 PM, Davide D'Amico davide.dam...@gmail.com wrote: Hi, i'm using syslog-ng to collect and centralize logs management. Syslog is configured: [...] destination d_ossec { udp(127.0.0.1, destport(1025) spoof_source(yes) template($MSG)); }; source s_network { udp(); tcp(port(514) max-connections(1000)); }; log { source(s_network); filter(f_network6); destination(d_ossec); }; [...] Well, I receive in syslog log file: r...@newton:/var/ossec/logs/alerts# tail -1 /usr/local/logs/network7/esx.housing.tomato.lan/2010/03/28/local6.log Mar 28 21:11:33 esx.housing.tomato.lan vmkernel: 18:11:01:08.770 cpu1:921599)WARNING: UserObj: 565: Failed to crossdup fd 1, fs: def5 oid: 17000300b type CHAR: Would block While I see in alerts.log: ** Alert 1269810692.31088430: - syslog,errors, 2010 Mar 28 23:11:32 newton-172.16.7.120 Rule: 1002 (level 2) - 'Unknown problem somewhere in the system.' Src IP: (none) User: (none) vmkernel: 18:11:01:08.770 cpu1:921599)WARNING: UserObj: 565: Failed to crossdup fd 1, fs: def5 oid: 17000300b type CHAR: Would block Why I see Src IP and User empty? I mean, I can understand an empty username (it's a remote event), but why Src IP is empty? Rule 1002 is: rule id=1002 level=2 match$BAD_WORDS/match descriptionUnknown problem somewhere in the system./description /rule Thanks, -- d. To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject. To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject. -- d. To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words REMOVE ME as the subject.