Hi,
the reason for this is that OSSEC can not make anything of this message
you should look at the vmware decoder in /var/ossec/etc/decoder.xml and change
it so it will pick up this message.
cheers,
W
On 28 Mar 2010, at 23:15, Davide D'Amico wrote:
> Hi,
> i'm using syslog-ng to collect and centralize logs management.
>
> Syslog is configured:
>
> [...]
> destination d_ossec {
> udp(127.0.0.1, destport(1025) spoof_source(yes) template($MSG));
> };
>
> source s_network {
> udp();
> tcp(port(514) max-connections(1000));
> };
>
>
> log {
> source(s_network);
> filter(f_network6);
> destination(d_ossec);
> };
>
>
> [...]
>
> Well, I receive in syslog log file:
>
> r...@newton:/var/ossec/logs/alerts# tail -1
> /usr/local/logs/network7/esx.housing.tomato.lan/2010/03/28/local6.log
> Mar 28 21:11:33 esx.housing.tomato.lan vmkernel: 18:11:01:08.770
> cpu1:921599)WARNING: UserObj: 565: Failed to crossdup fd 1, fs: def5
> oid: 1700000003000000b type CHAR: Would block
>
> While I see in alerts.log:
>
> ** Alert 1269810692.31088430: - syslog,errors,
> 2010 Mar 28 23:11:32 newton->172.16.7.120
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> Src IP: (none)
> User: (none)
> vmkernel: 18:11:01:08.770 cpu1:921599)WARNING: UserObj: 565: Failed to
> crossdup fd 1, fs: def5 oid: 1700000003000000b type CHAR: Would block
>
> Why I see Src IP and User empty? I mean, I can understand an empty
> username (it's a remote event), but why Src IP is empty?
>
> Rule 1002 is:
>
> <rule id="1002" level="2">
> <match>$BAD_WORDS</match>
> <description>Unknown problem somewhere in the system.</description>
> </rule>
>
>
> Thanks,
> --
> d.
>
> To unsubscribe from this group, send email to
> ossec-list+unsubscribegooglegroups.com or reply to this email with the words
> "REMOVE ME" as the subject.
To unsubscribe from this group, send email to
ossec-list+unsubscribegooglegroups.com or reply to this email with the words
"REMOVE ME" as the subject.
