Hi,
i'm using syslog-ng to collect and centralize logs management.
Syslog is configured:
[...]
destination d_ossec {
udp(127.0.0.1, destport(1025) spoof_source(yes) template($MSG));
};
source s_network {
udp();
tcp(port(514) max-connections(1000));
};
log {
source(s_network);
filter(f_network6);
destination(d_ossec);
};
[...]
Well, I receive in syslog log file:
r...@newton:/var/ossec/logs/alerts# tail -1
/usr/local/logs/network7/esx.housing.tomato.lan/2010/03/28/local6.log
Mar 28 21:11:33 esx.housing.tomato.lan vmkernel: 18:11:01:08.770
cpu1:921599)WARNING: UserObj: 565: Failed to crossdup fd 1, fs: def5
oid: 1700000003000000b type CHAR: Would block
While I see in alerts.log:
** Alert 1269810692.31088430: - syslog,errors,
2010 Mar 28 23:11:32 newton->172.16.7.120
Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
Src IP: (none)
User: (none)
vmkernel: 18:11:01:08.770 cpu1:921599)WARNING: UserObj: 565: Failed to
crossdup fd 1, fs: def5 oid: 1700000003000000b type CHAR: Would block
Why I see Src IP and User empty? I mean, I can understand an empty
username (it's a remote event), but why Src IP is empty?
Rule 1002 is:
<rule id="1002" level="2">
<match>$BAD_WORDS</match>
<description>Unknown problem somewhere in the system.</description>
</rule>
Thanks,
--
d.
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
"REMOVE ME" as the subject.
