On Thu, Jul 29, 2010 at 8:56 AM, Muraleedaran Kanapathy <[email protected]> wrote: > Hi > > Thanks for the reply. > > But one more thing may be it is useful for your troubleshooting. > > I am running syslog-ng on the same server and ossec is configured to scan > the files. > > Also I disabled the syslog-ng and enabled the syslog on ossec but the results > are same. > > Jul 1 06:52:51 x.x.x.x Jul 01 2010 06:45:13 test-RYD-FW : %PIX-2-106001: > Inbound TCP connection denied from y.y.y.y/3438 to z.z.z.z/6000 flags > SYN on interface ispan-test > Jul 1 06:53:04 x.x.x.x Jul 01 2010 06:45:26 ISPAN-RYD-FW : %PIX-2-106001: > Inbound TCP connection denied from y.y.y.y /3445 to z.z.z.z /6000 flags > SYN on interface ispan-test > Jul 1 06:53:07 x.x.x.x Jul 01 2010 06:45:29 ISPAN-RYD-FW : %PIX-2-106001: > Inbound TCP connection denied from y.y.y.y /3445 to z.z.z.z /6000 flags > SYN on interface ispan-test > Jul 1 06:53:13 x.x.x.x Jul 01 2010 06:45:35 ISPAN-RYD-FW : %PIX-2-106001: > Inbound TCP connection denied from y.y.y.y /3445 to z.z.z.z /6000 flags > > >
There's definitely something strange going on with your syslog setup. Notice in those messages that the date and hostname/ip fields are repeated. This will confuse ossec. You'll have to figure out how to stop that.
