Daniel- Thanks for the information!
You are right about the date format in our logs. One of the big problem in our environment is log normalization. We receive logs from many embedded devices which have extremely inaccurate clocks, so we are using the "ISODATE" option of syslog-ng which (so far as I know) conforms to the ISO-8601 specification for dates; this is actually a recommendation in the syslog-ng manual. However, now that I know what the problem is (thanks again; that hadn't even occurred to me!), it will be simple to set up another output stream within syslog-ng using the "normal" syslog format. James Ervin ITS Control Center UNC-Chapel Hill work: (919) 843-8311 cell: (919) 360-3001 email: [EMAIL PROTECTED] On Sat, 16 Jun 2007, Daniel Cid wrote: > > Hi James, > > Reply inline... > > On 6/15/07, James Ervin <[EMAIL PROTECTED]> wrote: >> >> For administrative reasons, we have to keep the OSSEC server separate from >> the central syslog server, so we opted not to install OSSEC on the syslog >> server in "server" mode (i.e., we can't have OSSEC listening on port 514 >> on the syslog server). > > You could have installed ossec in the syslog server (even in server mode) and > disabled the remote syslog option. You would only need to configure it to > read the local log files (containing the logs from all your systems). > > >> However, my OSSEC installation doesn't seem to be differentiating between >> the hosts properly ni this configuration. Maybe someone on the list has >> some suggestions? Caveat: I have not upgraded to OSSEC 1.2 yet. > > > The issue is that your logs are not well formated (according to the syslog > RFC) > and ossec doesn't know how to extract the hostnames. > > Your logs are: > > 2007-06-14T15:48:55-04:00 internalhost1 > > While on syslog, it would be: > > Jun 14 15:48:55 internalhost1 > > That's why ossec is not using the hostnames. Is it something you did specially > for your environment or is syslog-ng setting the time/date like that? > > *Not only the hostnames are not being parsed, but also the program > name (e.g sshd), > which are causing your ossec install to miss a lot of stuff (some of > are rules/decoders > are based on the program name)... > > > Hope it helps.. > > -- > Daniel B. Cid > dcid ( at ) ossec.net >
