The path is this. Mac 10.5.2 Machine > Syslog Server < OSSEC lives on syslog server.
I thought that this could be tacked on via dns or something. Yet I couldn't figure out how to change it, or why it would be doing it in the first place. Thanks, Jonny Daniel Cid wrote: > Hi Jonny, > > That's exactly what is going on. Where is your syslog server running > (which os)? Adding an > additional hostname is not the proper thing to do and I only saw this > happening on older > versions of Slackware (and Solaris). > > An easy way to solve that is to disable remote syslog on that box and > send all these logs > directly to OSSEC syslog receiver (or use the agent to do so). > > Hope it helps. > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > > > On Tue, Sep 16, 2008 at 12:16 PM, Jonny Gerold <[EMAIL PROTECTED]> wrote: > >> Hello, >> I have a problem. I would like to get all logins logged from this >> system, and have it all set up in ossec, and it's working for all my >> systems except this one. The issue is that when the message is sent to >> my syslog server to be parsed by ossec something gets mucked up. The >> original log is shown below. It's from a 10.5.2 mac computer >> (/var/log/secure.log) and it's being sent to my syslog server. The >> syslog server sees it as edc1 edc1, where on the original log it's >> correct with no double. I figure that because there is a double ossec >> isn't parsing it correctly, and that's why I'm not getting a notice when >> someone logs into the system. >> >> Thanks, Jonny >> >> >> Original: >> Sep 15 01:55:21 edc1 sshd[64736]: Accepted publickey for **** from >> **.**.**.* port ***** ssh2 >> >> Received by syslog: >> Sep 15 01:55:21 edc1 edc1 sshd[64736]: Accepted publickey for **** from >> **.**.**.* port ***** ssh2 >> >> >> /etc/syslog.conf on sending server (original) >> local3.info /var/log/ccauth_proxy.log >> *.* @syslog.*****.com >> *.err;kern.*;auth.notice;authpriv,remoteauth,install.none;mail.crit >> /dev/console >> *.notice;authpriv,remoteauth,ftp,install.none;kern.debug;mail.crit >> /var/log/system.log >> >> # Send messages normally sent to the console also to the serial port. >> # To stop messages from being sent out the serial port, comment out this >> line. >> #*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit >> /dev/tty.serial >> >> # The authpriv log file should be restricted access; these >> # messages shouldn't go to terminals or publically-readable >> # files. >> auth.info;authpriv.*;remoteauth.crit /var/log/secure.log >> >> lpr.info /var/log/lpr.log >> mail.* /var/log/mail.log >> ftp.* /var/log/ftp.log >> install.* /var/log/install.log >> install.* @127.0.0.1:32376 >> local0.* /var/log/appfirewall.log >> local1.* /var/log/ipfw.log >> >> *.emerg * >> >> >> >> > >
