I'm looking into rolling OSSEC out to a decent sized group of computers and am doing it in stages. One of the first stages involved deploying it to a centralized syslog server that catches all authpriv logging from throughout the fleet. However, it seems that OSSEC doesn't know how to handle the IP Address in the prefix of the line. Instead, it just ignores it, treating all events as if they effect the logging server instead of one of the clients.
Is there are way to get OSSEC to understand these for better centralized monitoring of the fleet? Thanks. Greg Example (Scrubbed) comes from the logging host 10.0.2.1: Mar 4 19:02:48 10.0.2.4 useradd[4961]: new group: name=foobar, GID=501 Mar 4 19:02:48 10.0.2.4 useradd[4961]: new user: name=foobar, UID=501, GID=501, home=/var/foobar/, shell=/bin/true Mar 4 20:17:06 10.0.2.2 sshd[28616]: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Mar 4 20:17:06 10.0.2.4 sshd[1941]: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Mar 4 20:17:06 10.0.2.2 sshd[18964]: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
