try without the word TRACEROUTE, or change the iptables decoder to support
two words before IN
On 2/1/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
i want log in OSSEC (in alert.log)
/var/log/kern.log
Jan 31 21:52:55 gatlan kernel: DROP TRACEROUTE IN=ppp0 OUT= MAC= SRC=
81.251.160.88 DST=90.20.131.158 LEN=80 TOS=0x00 PREC=0xC0 TTL=248 ID=3575
PROTO=ICMP TYPE=3 CODE=1 [SRC=90.20.131.158 DST=192.168.1.64 LEN=52
TOS=0x00 PREC=0x00 TTL=54 ID=8857 DF PROTO=TCP SPT=2267 DPT=4662
WINDOW=65535 RES=0x00 SYN URGP=0 ]
/var/ossec/rules/firewall_rules.xml
<rule id="4101" level="6">
<if_sid>4100</if_sid>
<action>DROP</action>
<!-- <options>no_log</options> -->
<description>Firewall drop event.</description>
<group>firewall_drop,</group>
</rule>
/var/ossec/etc/ossec.conf
<localfile>
<log_format>syslog</log_format>
<location>/var/log/kern.log</location>
</localfile>
but nothing are loggued by OSSEC...
