[ossec-list] Re: ossec server reporting itself as 0.0.0.0 and more

[Meir Michanie]

Well, well, well.
I configured remote servers to send syslog straight to ossec and then I got a similar log entry as you reported.
I corrected ossec2mysql in order to parse the log entry.

** Alert 1158059536.19220030 :    nomail
2006 Sep 12 11:12:16 92382-borch1 -> 10.116.16.32
Rule: 5109 (level 4) -> 'Kernel Input/Output error'
Src IP: (0.0.0.0)
User: (none)
kernel: end_request: I/O error, dev sdd, sector 805583239

you can fetch the latest ossec2mysql from www.riunx.com (ossec-ui)

On 9/13/06, Meir Michanie <[EMAIL PROTECTED]> wrote:

The dst is taken from the line <date> <agent> -> <log>
The src is taken from src ip line
if the alert has src ip none then I substitute that to 0.0.0.0
The destination IP value sould be parsed in the future by ossec-hids. In the meantime dst IP is parsed as I described before.
If the alert host (the dst ip) is not an IP or the script can't resolve to an IP, then It will copy srcip as dstip.

On 9/13/06, Vitor Correia < [EMAIL PROTECTED]> wrote:

hello everyone,

this question is specific to ossecgui.

does anyone know in which situations or in what conditions will/can an ossec server report itself as being 0.0.0.0 or reporting itself as being the agent's ip?

this is happening specially with ssh connections from machine1 to ossec server.



if i logon through ssh from ossecserver to ossecserver it reports as it should:

                                                                                                 src ip            dest ip
'SSHD authentication success.' 2006-09-13 11:50:18 10.0.7.220 10.0.7.220


but if i logon from another machine it doesn't:

                                                                                                  src ip          dest ip
SSHD authentication success.' 2006-09-13 11:47:40 10.0.7.43 10.0.7.43

- the src should be 10.0.7.43 & dest should be 10.0.7.220

background info: this ossecserver is also a central syslog server, listening to network syslogs from other machines and reporting them to ossecgui, using the latest ossecgui snapshot and the latest stable ossec-hids.

for those of you who have been following my questions on this suject, i've pretty much managed to work it out, yey!! :) more on that as (including my installation procedure) as soon as i iron out this issue.

now, i don't think i've forgotten to mention anything of importance, what do you think?


./vcorreia

Vitor CorreiaSystems Administrator-- Mobbit Systems[EMAIL PROTECTED]
 | Telemóvel: + 351 916 448 025Avenida do Forte, 8 - 1º Andar - Frente 01 -  2795-503 CarnaxideTelefone: + 351 21 418 01 40 | Fax:  + 351 21 418 01 41

[EMAIL PROTECTED] | www.mobbit.net

,-O 
O(_)) for a better world
`-O