On Wed, Jul 28, 2010 at 2:22 AM, Muraleedaran Kanapathy
<[email protected]> wrote:
> Thanks Dan
>
> For the input
>
> But my concern is that all the alerts related to PIX comes with "Unknown
> problem somewhere in the system"
>
> Also in Web UI I when I filter the logs type as Pix nothing is showing up.
>
> Is there any workaround to solve this issue
>
> Best regards,
>
> Muraleedaran Kanapathy| Linux/Unix System Engineer - ISS Department
> Voice +966(1) 288-8888 ext 1422 | Fax +966(1) 288-8899 ext 1422
> Integrated Networks | Faisaliah Tower | Level 7A |
> PO Box 53553, Riyadh 11593, KSA | GMT +3 |
> Email [email protected]
>
I'm guessing nothing shows up in the WUI under PIX because the alerts
aren't recognized so they are not being grouped properly.
The "Unknown problem..." issue is because the alerts aren't being
recognized. Try running a few of them through ossec-logtest. Do they
turn out like the example I posted, or do they continue to fall under
Rule ID 1002?
I'm starting to suspect something is off, because I thought the
example you posted would show up under the following rule:
<rule id="4311" level="5">
<if_sid>4300</if_sid>
<id>^2-</id>
<description>PIX critical message.</description>
</rule>
Is there any chance you could post a few more example log messages?
