Daniel Cid would be able to provide a better answer, since mine is just speculation. Here is corresponding entry from /var/log/daemon: Apr 1 12:44:33 ix named[19050]: client 192.168.1.9#26553: query: 111.1.168.192.in-addr.arpa IN PTR + And here is a log entry from logs/archives/archive.log: 2010 Apr 01 12:44:34 ix->/var/log/daemon Apr 1 12:44:33 ix named[19050]: client 192.168.1.9#26553: query: 111.1.168.192.in-addr.arpa IN PTR +
The first example is the raw log in the system file. It has the date that the event was logged, the hostname, process name, etc. The second example is ossec's archived log. It starts with the date that ossec received (?) the event from the agent, the name of the agent->log file the event was recorded, and finally the log entry. In the example log you sent, we can see something very similar: Date ossec received the event: 2010 Mar 22 00:44:20 (agent name) IP->log type (instead of the file I guess): (SERVER01) 99.99.99.99->WinEvtLog Original log: WinEvtLog: System: WARNING(9015): MetaFrame: (no user): no domain: SERVER01: Citrix Presentation Server has entered the grace period. You have 840 hour(s) remaining before this server stops accepting connections from client devices. So everything before the Original log is kind of meta data for ossec, information it used when breaking down the event it received. Hope that helps (read: makes sense), and isn't totally wrong. ;) dan On Thu, Apr 1, 2010 at 9:42 AM, Bart V. <[email protected]> wrote: > I did as you suggested an it decoded correctly. > However, can you explain why my first attempt did not work ?(the log > entry came from an archived ossec log.) > > I would like to understand better how logs are dissected so I can make > effective and efficient rules for my environment. > > Thanks for any insight anyone may provide. > > Bart > > -- To unsubscribe, reply using "remove me" as the subject.
