Hi James, Reply inline...
On 6/15/07, James Ervin <[EMAIL PROTECTED]> wrote: > > For administrative reasons, we have to keep the OSSEC server separate from > the central syslog server, so we opted not to install OSSEC on the syslog > server in "server" mode (i.e., we can't have OSSEC listening on port 514 > on the syslog server). You could have installed ossec in the syslog server (even in server mode) and disabled the remote syslog option. You would only need to configure it to read the local log files (containing the logs from all your systems). > However, my OSSEC installation doesn't seem to be differentiating between > the hosts properly ni this configuration. Maybe someone on the list has > some suggestions? Caveat: I have not upgraded to OSSEC 1.2 yet. The issue is that your logs are not well formated (according to the syslog RFC) and ossec doesn't know how to extract the hostnames. Your logs are: 2007-06-14T15:48:55-04:00 internalhost1 While on syslog, it would be: Jun 14 15:48:55 internalhost1 That's why ossec is not using the hostnames. Is it something you did specially for your environment or is syslog-ng setting the time/date like that? *Not only the hostnames are not being parsed, but also the program name (e.g sshd), which are causing your ossec install to miss a lot of stuff (some of are rules/decoders are based on the program name)... Hope it helps.. -- Daniel B. Cid dcid ( at ) ossec.net
