Unfortunately I don't have the start of the log file that ossec would have read to try to identify the log type - it's been running for a few weeks like this.  The log file format is the default generated by Snort 2.3.3 installed via apt on Debian Testing.

I switched formats to snort-full and the false positives have gone away.  Thanks for the help.

On 06/10/06, Daniel Cid < [EMAIL PROTECTED]> wrote:
It does attmept... It checks the beginning of the file for the
snort-full or fast format.
Can you show me the beginning of you alert file? Did you switch alert
methods, btw?

Thanks,

Daniel

On 10/4/06, Harry Wearne <[EMAIL PROTECTED] > wrote:
> The entry in my ossec.conf file says:
>
>   <localfile>
>     <log_format>snort-fast</log_format>
>     <location>/var/log/snort/alert</location>
>   </localfile>
>
> I'll change it to snort-full and see if that fixes it.
>
> The snort log entry was added automatically on installing 0.9.1a (now
> upgraded to 0.9.2) - does the installation system attempt to auto-detect log
> types?
>
>
> On 04/10/06, Daniel Cid <[EMAIL PROTECTED]> wrote:
> > Something is wrong. Looks like to me that ossec is reading your
> > snort logs as syslog. Can you show us your /var/ossec/etc/ossec.conf
> > file? You need to make sure that the "log_format" is set to snort-full
> > for this log.
> > It needs to be:
> >
> >   <localfile>
> >     <log_format>snort-full</log_format>
> >     <location>/var/log/snort/alert</location>
> >   </localfile>
>
>
>

Reply via email to