This is a question I've been wondering: what logformat value should be used for a firewall rule, if it isn't syslog? I checked the source in localfile-config.c and I don't see any value there that indicates this is possible. The only values I see are: syslog, snort-full, snort- fast, apache, iis, squid, nmapg, and EVENTLOG. I can see where Philipp could change his logformat to apache or iis (since he is concerned with a webserver), but I'm getting 1002 on all my firewall entries, too.
A bit of background: we use syslog-ng as our syslog server instead of the built-in ossec syslog server because syslog-ng gives us the ability to break out our logs into separate files which is a great help when we are manually examining the logs during troubleshooting. I've added the files to be watched in the ossec.conf as syslog files. A sample log entrie looks like: Sep 28 10:21:21 10.2.103.1 Sep 28 2007 10:21:21 firewall-hostname : %ASA-2-106001: Inbound TCP connection denied from 216.239.51.104/80 to 1.2.3.4/56713 flags PSH ACK on interface outside The first timestamp is the time on the syslog server and the second timestamp is from the original host. This allows some correlation if the time is off[1] Granted, I haven't been using OSSEC for very long and have a lot of reading in front of me, but I haven't found much in the way of logformat options. Despite the fact that I plastered everywhere that OSSEC supports such and such. Are all these supposed to go into syslog format? And does OSSEC have a problem with running a seperate syslog server? Thanks for all your help. JM [1] yes we use NTP for time, but sometimes things go wrong and this double entry for time has proven to be a great help to us in the past. On Sep 27, 8:03 pm, "Daniel Cid" <[EMAIL PROTECTED]> wrote: > Hi Philipp, > > Sorry for the late reply... Catching up on e-mails :) > > Your web servers logs should not be checked against rule 1002, which > is exclusive to > syslog messages. Internally, on ossec, we separate the logs per > category (weblog, syslog, proxy, firewall, etc) and it wouldn't match > Apache logs against syslog ones, unless the > apachelogis not being decoded properly. > > Can you show us a sample from your logs? Are they in a different > format than the default > apache one? > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net
