Correction to my previous post. Change line 31, from:
'\100', to '\001', **\100 is @, not \040... Sorry for the confusion. Daniel On 3/22/07, Daniel Cid <[EMAIL PROTECTED]> wrote:
Hi Matthew, Having an "@" in the hostname is invalid and I have no clue why syslog-ng does that (it is wrong according to the syslog rfc and as a host name/domain name). Anyway, if you want to have your logs working, you would need to change the code to handle that. Go to src/os_regex/os_regex_maps.h and on line 27, change '\040', to '\001', *(\040 == '@'). After that re-compile ossec and copies the binaries to /var/ossec/bin: # cd src/ # make clean; make all # /var/ossec/bin/ossec-control stop # cp -pr analysisd/ossec-analysisd /var/ossec/bin # /var/ossec/bin/ossec-control start Btw, did anyone else have this problem? I am wondering if I should make this the default behavior on ossec.... Any other syslog-ng user here? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 3/21/07, Matthew Hilty <[EMAIL PROTECTED]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hi OSSEC listers, > > First of all, a much-deserved "strong work" to all developers and > contributors. This is a very, very flexible package that (gasp) makes > me want to relearn what I've forgotten about regexes! > > Now, to the point, I'm getting the following in ossec.log every > time a rule fires: > > 2007/03/21 10:28:00 ossec-analysisd(1275): Invalid hostname in syslog > message: 'Mar 21 15:28:00 [EMAIL PROTECTED] sshd[XXXXX]: Accepted > password for user from ::ffff:X.X.X.X port XXXXX ssh2'. > > > It looks like ossec-analysisd is choking on the log format whic contains > the source driver identifier (in this case s_local) most likely due to > the @ character since it's not an allowed character for a host....I > think it's a null in ascii, but I might be wrong. > In any event, since this is the default behavior of syslog-ng and a > useful feature, I'm wondering if anyone else has encountered it and can > help mt think my way out of this paper bag. > > > thanks, > > > > Matt > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (Darwin) > > iQEVAwUBRgF01zg7f5odKTjvAQjX8wf+PLoFCYb8q+oWG7HgUeMkruP7amoDXYNT > 1VTNEOFP2cycle0UlA7p3T1ieZdbUz1ZOysSC6z+Z2aLV6ILxUQSIVV8tpxFwA9v > 7cPqq8BOjtcQsOGHTxXnyLzhpYxp6l/blYNOpZbgWDbXU4uly5AnwSaXemOWn7Tu > HMY/qOiTTTrnCbaWjALw33pJ1LdcyNSHNEGDmb/dp/IDSve3tt4hUx0YAKNCuXpT > 68Fnisw4kp5m1zvaGE0LWbIl8dN/bkgA1FiUYLlMwH4gOf0S/XkUQozWzRgZ5+ZE > QDemyfQFGtk408p5m3kA14J/jlnNR1I5Kr1p2hsfl7lDnaE7nhDLrg== > =hIof > -----END PGP SIGNATURE----- >
