Hi Jonny, That's exactly what is going on. Where is your syslog server running (which os)? Adding an additional hostname is not the proper thing to do and I only saw this happening on older versions of Slackware (and Solaris).
An easy way to solve that is to disable remote syslog on that box and send all these logs directly to OSSEC syslog receiver (or use the agent to do so). Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Sep 16, 2008 at 12:16 PM, Jonny Gerold <[EMAIL PROTECTED]> wrote: > > Hello, > I have a problem. I would like to get all logins logged from this > system, and have it all set up in ossec, and it's working for all my > systems except this one. The issue is that when the message is sent to > my syslog server to be parsed by ossec something gets mucked up. The > original log is shown below. It's from a 10.5.2 mac computer > (/var/log/secure.log) and it's being sent to my syslog server. The > syslog server sees it as edc1 edc1, where on the original log it's > correct with no double. I figure that because there is a double ossec > isn't parsing it correctly, and that's why I'm not getting a notice when > someone logs into the system. > > Thanks, Jonny > > > Original: > Sep 15 01:55:21 edc1 sshd[64736]: Accepted publickey for **** from > **.**.**.* port ***** ssh2 > > Received by syslog: > Sep 15 01:55:21 edc1 edc1 sshd[64736]: Accepted publickey for **** from > **.**.**.* port ***** ssh2 > > > /etc/syslog.conf on sending server (original) > local3.info /var/log/ccauth_proxy.log > *.* @syslog.*****.com > *.err;kern.*;auth.notice;authpriv,remoteauth,install.none;mail.crit > /dev/console > *.notice;authpriv,remoteauth,ftp,install.none;kern.debug;mail.crit > /var/log/system.log > > # Send messages normally sent to the console also to the serial port. > # To stop messages from being sent out the serial port, comment out this > line. > #*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit > /dev/tty.serial > > # The authpriv log file should be restricted access; these > # messages shouldn't go to terminals or publically-readable > # files. > auth.info;authpriv.*;remoteauth.crit /var/log/secure.log > > lpr.info /var/log/lpr.log > mail.* /var/log/mail.log > ftp.* /var/log/ftp.log > install.* /var/log/install.log > install.* @127.0.0.1:32376 > local0.* /var/log/appfirewall.log > local1.* /var/log/ipfw.log > > *.emerg * > > >
