"no logging device-id" fixed it.
Thanks.
On Aug 28, 2006, at 2:23 PM, Daniel Cid wrote:
The problem is that your logs do not conform to the syslog RFC. A
syslog
message should have <date> <hostname> <message> (in addition
to the headers). Yours have <date> <ip> <hostname> <message>.
Is this message coming directly from the PIX? Looks like your syslog
daemon is messing things up...
*ossec is very strict when parsing syslog messages.
*you can configure ossec to receive remote syslog directly. It will
avoid these problems...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 8/28/06, Erick Kinnee <[EMAIL PROTECTED]> wrote:
Aug 28 06:26:31 10.2.78.1 fw01.GTC-unitedway.com %PIX-4-106023: Deny
udp src outside:65.150.205.39/8523 dst db:66.111.106.118/1026 by
access-group "acl_outside" [0x0, 0x0]
Aug 28 06:26:31 10.2.78.1 fw01.GTC-unitedway.com %PIX-4-106023: Deny
udp src outside:65.97.66.110/26467 dst dmz:66.111.106.160/1026 by
access-group "acl_outside" [0x0, 0x0]
Like I said it fires alerts such as this:
OSSEC HIDS Notification.
2006 Aug 28 10:25:36
Received From: 10.2.78.1->/mnt/logdisk/10.2.78.1/10.2.78.1.log
Rule: 1002 fired (level 7) -> "Unknown problem somewhere in the
system."
Portion of the log(s):
fw01.GTC-unitedway.com %PIX-5-304001: 203.199.127.57 Accessed URL
10.2.79.11:/admin/webadmin/main.php
On Aug 28, 2006, at 2:09 PM, Daniel Cid wrote:
> Can you show us a few lines of these logs? In addition to that, we
> made a few fixes in the latest snapshot to support the extra pix
> timestamping. If you can try it:
>
> http://www.ossec.net/files/snapshots/ossec-hids-060820.tar.gz
>
> Maybe your problem is fixed already there...
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On 8/28/06, Erick Kinnee <[EMAIL PROTECTED]> wrote:
>>
>> OSSEC is reading the PIX logs sent to it via syslog, it generates
>> alerts, but all of the alerts say "Unknown problem somewhere in
the
>> system." They don't seem to be picking up the descriptions from
>> pix_rules.xml. Why?
>>
>
