The problem is that your logs do not conform to the syslog RFC. A syslog message should have <date> <hostname> <message> (in addition to the headers). Yours have <date> <ip> <hostname> <message>.
Is this message coming directly from the PIX? Looks like your syslog daemon is messing things up... *ossec is very strict when parsing syslog messages. *you can configure ossec to receive remote syslog directly. It will avoid these problems... Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/28/06, Erick Kinnee <[EMAIL PROTECTED]> wrote:
Aug 28 06:26:31 10.2.78.1 fw01.GTC-unitedway.com %PIX-4-106023: Deny udp src outside:65.150.205.39/8523 dst db:66.111.106.118/1026 by access-group "acl_outside" [0x0, 0x0] Aug 28 06:26:31 10.2.78.1 fw01.GTC-unitedway.com %PIX-4-106023: Deny udp src outside:65.97.66.110/26467 dst dmz:66.111.106.160/1026 by access-group "acl_outside" [0x0, 0x0] Like I said it fires alerts such as this: OSSEC HIDS Notification. 2006 Aug 28 10:25:36 Received From: 10.2.78.1->/mnt/logdisk/10.2.78.1/10.2.78.1.log Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the system." Portion of the log(s): fw01.GTC-unitedway.com %PIX-5-304001: 203.199.127.57 Accessed URL 10.2.79.11:/admin/webadmin/main.php On Aug 28, 2006, at 2:09 PM, Daniel Cid wrote: > Can you show us a few lines of these logs? In addition to that, we > made a few fixes in the latest snapshot to support the extra pix > timestamping. If you can try it: > > http://www.ossec.net/files/snapshots/ossec-hids-060820.tar.gz > > Maybe your problem is fixed already there... > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On 8/28/06, Erick Kinnee <[EMAIL PROTECTED]> wrote: >> >> OSSEC is reading the PIX logs sent to it via syslog, it generates >> alerts, but all of the alerts say "Unknown problem somewhere in the >> system." They don't seem to be picking up the descriptions from >> pix_rules.xml. Why? >> >
