I've seen this as well. In the PIX/ASA config you can assign names to
IPs like
name 10.0.0.1 testbox
That will then cause all syslog messages that might use 10.0.0.1 to
instead print testbox. For example:
%PIX-5-106100: access-list inside permitted tcp inside/testbox(2186) ->
outside/192.168.5.100(100) hit-cnt 1 (first hit)
The problem is, the name in the PIX/ASA config doesn't have to be a
hostname...it's any text the admin chooses to assign to that IP.
aaron
Daniel Cid wrote:
> Hi Will,
>
> Can you provide a few more details? A few examples? You meant that instead
> of the ip address you can have the hostname in the logs? If that's the case we
> should fix the decoder for that...
>
> Btw, we have pix information at:
> http://www.ossec.net/wiki/index.php/PIX_and_IOS_Syslog_Config_examples#Configuring_PIX
>
> Thanks,
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>
> On Dec 6, 2007 1:15 AM, Will Metcalf <[EMAIL PROTECTED]> wrote:
>> Just an FYI as I couldn't find anything about it on the OSSEC wiki for
>> PIX logs. If you are using names in your PIX/ASA config the decoder
>> seems to be broken as it is trying to match y.y.y.y but if you are
>> using names (which is helpful when you have a few thousand rules to
>> manage) you could have string instead i.e. "y.y.y.y" would instead be
>> "someservername". You can turn off names by issuing the no names
>> command or do what I did and change the decoder to match on a non
>> white space string, which hasn't seemed to cause any issues for me
>> anyway ;-)
>>
>> Regards,
>>
>> Will
>>
