A little more information may help to clear this up: All of the missed
srcip occurred at the same time: from 11:52:44 to 14:08:20 on Dec 1 and from
22:13:55 On Dec 1 until now (2 days later) so I think it is fairly likely
that I added a custom decoder or rule that has caused this effect. When I
Greetings Daniel:
Thank you for this help, and your regular and timely help for ossec
I'm not able to change the formatting at present; we use Bastille for
Linux, and I'm not sure (at present) what hacking I can get away with
in that area.
What would I change in the decode to support multiple
Hi everyone,
I'm just trying to figure out how to monitor the built in windows
firewall logs with ossec. I've have the windows policies configured,
logging, etc, but I'm not sure what the log_format directive should be
set to. Thanks for your help.
Aaron
Hi,
Your rules/decoders are very good, with just one small problem:
Child decoders will use the parent
name by default instead of its own, so your rules will not match. If
you change it to have use_own_name,
it should work:
decoder name=sendmail-blocked-cbl
use_own_nametrue/use_own_name
Hi Jim,
I am quite lost with your problem in here, since none of these logs
would be parsed
by the default sendmail decoder from ossec. I saw you did a few by
yourself and they
are probably the ones parsing it... Btw, it would be nice to include
them by default on
ossec (if you want to release