A question are you using the agents to send the alerts to the server or are you sending to the syslog? Dennis
-----Original Message----- From: [email protected] <[email protected]> To: [email protected] <[email protected]> Sent: Mon Sep 11 05:28:40 2006 Subject: [ossec-list] Re: ip being reported as 0.0.0.0 & timestamp misbehaving I understand that ossec2base has been renamed to ossec2mysql; in what ways dos this affect th einstallation procedure? Are the *.pl files still inside ossec-ui-****** @ http://www.riunx.com/public or are they inside ossec-hids**** @ ossec.net? i'm still getting the wrong timestamp and ip, it's driving me nuts :) do you think the architecture i've implemented (see below) is ok or prone to "errors"? ./vcorreia Meir Michanie wrote: I posted a fix, inside ossec2mysql (ex ossec2base) the month should say Sep and not Set On 9/8/06, Vitor Correia < <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]> wrote: hello Meir and everyone, as promised i've setup a new testbed where i have a central logging server via syslogd (-r) and a bunch of other workstations reporting their syslogs to that server. all is well and i've even managed to start writing down installation instructions :) now, there are two things that don't work properly: timestamp is reported as " 0000-00-00 00:00:00 " and ossec2base can't parse the correct "agent" ip when reporting from /var/log/* e.g. : ** Alert 1157715877.7436: nomail 2006 Sep 08 12:44:37 testbed2 -> /var/log/secure Rule: 5716 (level 5) -> 'SSHD authentication failed.' Src IP: ( <http://10.0.3.1> 10.0.3.1) User: root sshd[15796]: Failed password for root from ::ffff:10.0.3.1 port 57468 ssh2 ** Alert 1157715877.7133: mail 2006 Sep 08 12:44:37 testbed2 -> /var/log/messages Rule: 2502 (level 10) -> 'User missed the password more than one time' Src IP: ( <http://0.0.0.0> 0.0.0.0) User: (none) sshd(pam_unix)[15794]: 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost= <http://10.0.3.1> 10.0.3.1 user=root im running the latest ossec-hids version (server installation) with email notification (so that i can compare results), along with ossec-ui latest version dating 08-Sep-2006 01:10. syslog: syslogd -m 0 -r realtime feed: /usr/bin/perl -w /usr/local/bin/ossec2based.pl --conf /etc/ossec2base.conf -d --sensor ossecbase i don't think i'm missing any important info. what do you think might be the problem? ./vcorreia Vitor Correia Systems Administrator -- Mobbit Systems [EMAIL PROTECTED] | Telemóvel: + 351 916 448 025 Avenida do Forte, 8 - 1º Andar - Frente 01 - 2795-503 Carnaxide Telefone: + 351 21 418 01 40 | Fax: + 351 21 418 01 41 <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED] | www.mobbit.net ,-O O(_)) for a better world `-O Vitor Correia Systems Administrator -- Mobbit Systems [EMAIL PROTECTED] | Telemóvel: + 351 916 448 025 Avenida do Forte, 8 - 1º Andar - Frente 01 - 2795-503 Carnaxide Telefone: + 351 21 418 01 40 | Fax: + 351 21 418 01 41 [EMAIL PROTECTED] | www.mobbit.net ,-O O(_)) for a better world `-O
