Hi all,
We have try prelude and ossec integration and I've found IDMEF alerts
don't contain any user (srcuser/dstuser) information.
Analyzing the source code, in prelude.c line 278, we have
add_idmef_object(idmef, "alert.target(0).User.UserId(0).name", lf-
>dstuser);
We have replaced previous line with
if (lf->dstuser!=NULL){
add_idmef_object(idmef, "alert.target(0).User.category", "2");
add_idmef_object(idmef, "alert.target(0).User.User_Id(0).name",
lf->dstuser);
}
(similar changes for srcuser) and now IDMEF alerts are generated
correctly.
Could you introduce these changes on the next release?
Thank you in advance!
Nacho
