I've been trying to get ossec work with netscreen logs. I'm unable to figure
out why only device name ns5gt works.
Replacing that name with any other valid device name in decoder.xml doesn't
produce any records in firewall.log
I also tried completely removing program_name and just leaving
Hi Peter,
I agree with Jeff. If you can send some logs to us, we can definitely write some
rules/decoders for it.
We only have a few samples:
http://www.ossec.net/wiki/index.php/Log_Samples_Sonicwall
But with a few more we can easily add support for it.
*btw, if you prefer, you can send to me
Hi Tom,
Can you send some log samples to us? Our decoder looks for:
decoder name=netscreenfw
program_name^sav00|^ns5gt/program_name
prematch^NetScreen device_id/prematch
/decoder
Probably that's why it only works with ns5gt. However, we were told
this would be
present in all netscreen
Hi Peter,
Note that the timeout for the active response is of 10 minutes, so
after that the ip is going to be removed from block list. If you look
at /var/ossec/logs/active-responses.log do you
see the responses being called? (look at the agent that generated the
alert and not at
the server). If