Thanks for your answers. I haven't an agent on remote hosts, I'm collecting logs to a centralized syslog-ng which passes events to a ossec process.
d. 2010/3/29 dan (ddp) <[email protected]>: > Run this message through /var/ossec/bin/ossec-logtest > Writing a decoder for this shouldn't be too difficult. > There isn't really a srcip for this event (if I'm reading it right). > The event looks like a local event (local to the agent that reported > it), so there wouldn't be a srcip involved. > > On Sun, Mar 28, 2010 at 5:15 PM, Davide D'Amico <[email protected]> > wrote: >> Hi, >> i'm using syslog-ng to collect and centralize logs management. >> >> Syslog is configured: >> >> [...] >> destination d_ossec { >> udp(127.0.0.1, destport(1025) spoof_source(yes) template($MSG)); >> }; >> >> source s_network { >> udp(); >> tcp(port(514) max-connections(1000)); >> }; >> >> >> log { >> source(s_network); >> filter(f_network6); >> destination(d_ossec); >> }; >> >> >> [...] >> >> Well, I receive in syslog log file: >> >> r...@newton:/var/ossec/logs/alerts# tail -1 >> /usr/local/logs/network7/esx.housing.tomato.lan/2010/03/28/local6.log >> Mar 28 21:11:33 esx.housing.tomato.lan vmkernel: 18:11:01:08.770 >> cpu1:921599)WARNING: UserObj: 565: Failed to crossdup fd 1, fs: def5 >> oid: 1700000003000000b type CHAR: Would block >> >> While I see in alerts.log: >> >> ** Alert 1269810692.31088430: - syslog,errors, >> 2010 Mar 28 23:11:32 newton->172.16.7.120 >> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' >> Src IP: (none) >> User: (none) >> vmkernel: 18:11:01:08.770 cpu1:921599)WARNING: UserObj: 565: Failed to >> crossdup fd 1, fs: def5 oid: 1700000003000000b type CHAR: Would block >> >> Why I see Src IP and User empty? I mean, I can understand an empty >> username (it's a remote event), but why Src IP is empty? >> >> Rule 1002 is: >> >> <rule id="1002" level="2"> >> <match>$BAD_WORDS</match> >> <description>Unknown problem somewhere in the system.</description> >> </rule> >> >> >> Thanks, >> -- >> d. >> >> To unsubscribe from this group, send email to >> ossec-list+unsubscribegooglegroups.com or reply to this email with the words >> "REMOVE ME" as the subject. >> > > To unsubscribe from this group, send email to > ossec-list+unsubscribegooglegroups.com or reply to this email with the words > "REMOVE ME" as the subject. > -- d. To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
