Is there any way to remove the IP or the hostname (ISPAN-RYD-FW I'm
guessing) from the messages? OSSEC doesn't like to see both in the
syslog messages.
If one of those is removed it seems to work fine:
Jul 31 09:52:46 1.1.1.1 ISPAN-RYD-FW %PIX-6-302014: Teardown TCP
connection 140565278 for ispan-test:2.2.2.2/1266 to core:3.3.3.3/9281
duration 0:00:30 bytes 0 SYN Timeout
**Phase 1: Completed pre-decoding.
full event: 'Jul 31 09:52:46 1.1.1.1 ISPAN-RYD-FW
%PIX-6-302014: Teardown TCP connection 140565278 for
ispan-test:2.2.2.2/1266 to core:3.3.3.3/9281 duration 0:00:30 bytes 0
SYN Timeout'
hostname: '1.1.1.1'
program_name: '(null)'
log: 'ISPAN-RYD-FW %PIX-6-302014: Teardown TCP connection
140565278 for ispan-test:2.2.2.2/1266 to core:3.3.3.3/9281 duration
0:00:30 bytes 0 SYN Timeout'
**Phase 2: Completed decoding.
No decoder matched.
Jul 31 09:52:46 ISPAN-RYD-FW %PIX-6-302014: Teardown TCP connection
140565278 for ispan-test:2.2.2.2/1266 to core:3.3.3.3/9281 duration
0:00:30 bytes 0 SYN Timeout
**Phase 1: Completed pre-decoding.
full event: 'Jul 31 09:52:46 ISPAN-RYD-FW %PIX-6-302014:
Teardown TCP connection 140565278 for ispan-test:2.2.2.2/1266 to
core:3.3.3.3/9281 duration 0:00:30 bytes 0 SYN Timeout'
hostname: 'ISPAN-RYD-FW'
program_name: '(null)'
log: '%PIX-6-302014: Teardown TCP connection 140565278 for
ispan-test:2.2.2.2/1266 to core:3.3.3.3/9281 duration 0:00:30 bytes 0
SYN Timeout'
**Phase 2: Completed decoding.
decoder: 'pix'
id: '6-302014'
**Phase 3: Completed filtering (rules).
Rule id: '4314'
Level: '0'
Description: 'PIX notification/informational message.'
On Sat, Jul 31, 2010 at 3:18 AM, Muraleedaran Kanapathy
<[email protected]> wrote:
> Hi
>
> I have disabled the date and time appearing twice in the syslog and now the
> syslog entry look like this
>
> Jul 31 09:52:46 1.1.1.1 ISPAN-RYD-FW %PIX-6-302014: Teardown TCP connection
> 140565278 for ispan-test:2.2.2.2/1266 to core:3.3.3.3/9281 duration 0:00:30
> bytes 0 SYN Timeout
>
> 1.1.1.1 is the firewall ip
> 2.2.2.2 and 3.3.3.3 are different ips
>
> But ossec does the same thing again. Any valuable input is highly appreciated.
>
> Best regards,
>
> Muraleedaran Kanapathy| Linux/Unix System Engineer - ISS Department
> Voice +966(1) 288-8888 ext 1422 | Fax +966(1) 288-8899 ext 1422
> Integrated Networks | Faisaliah Tower | Level 7A |
> PO Box 53553, Riyadh 11593, KSA | GMT +3 |
> Email [email protected]
>
> Disclaimer: This electronic mail message contains information that (a) is or
> may be LEGALLY PRIVILEGED, CONFIDENTIAL, ROPRIETARY IN NATURE, OR OTHERWISE
> PROTECTED BY LAW FROM DISCLOSURE, and (b) is intended only for the use of the
> Addressee(s) named herein. If you are not the intended recipient, an
> addressee, or the person responsible for delivering this to an addressee, you
> are hereby notified that reading, using, copying, or distributing any part of
> this message is strictly prohibited. If you have received this electronic
> mail message in error, please contact us immediately and take the steps
> necessary to delete the message completely from your computer system. Unless
> explicitly attributed, the opinions expressed in this message do not
> necessarily represent the official position or opinions of Integrated
> Networks LLC., whilst all care has been taken, Integrated Networks LLC.
> disclaims all liability for loss or damage to person or property arising from
> this message being infected by computer virus or any type of contamination.
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] On
> Behalf Of dan (ddp)
> Sent: Thursday, July 29, 2010 6:05 PM
> To: [email protected]
> Subject: Re: [ossec-list] PIX Logging with OSSEC
>
> On Thu, Jul 29, 2010 at 8:56 AM, Muraleedaran Kanapathy
> <[email protected]> wrote:
>> Hi
>>
>> Thanks for the reply.
>>
>> But one more thing may be it is useful for your troubleshooting.
>>
>> I am running syslog-ng on the same server and ossec is configured to scan
>> the files.
>>
>> Also I disabled the syslog-ng and enabled the syslog on ossec but the
>> results are same.
>>
>> Jul 1 06:52:51 x.x.x.x Jul 01 2010 06:45:13 test-RYD-FW : %PIX-2-106001:
>> Inbound TCP connection denied from y.y.y.y/3438 to z.z.z.z/6000 flags
>> SYN on interface ispan-test
>> Jul 1 06:53:04 x.x.x.x Jul 01 2010 06:45:26 ISPAN-RYD-FW : %PIX-2-106001:
>> Inbound TCP connection denied from y.y.y.y /3445 to z.z.z.z /6000 flags
>> SYN on interface ispan-test
>> Jul 1 06:53:07 x.x.x.x Jul 01 2010 06:45:29 ISPAN-RYD-FW : %PIX-2-106001:
>> Inbound TCP connection denied from y.y.y.y /3445 to z.z.z.z /6000 flags
>> SYN on interface ispan-test
>> Jul 1 06:53:13 x.x.x.x Jul 01 2010 06:45:35 ISPAN-RYD-FW : %PIX-2-106001:
>> Inbound TCP connection denied from y.y.y.y /3445 to z.z.z.z /6000 flags
>>
>>
>>
>
> There's definitely something strange going on with your syslog setup.
> Notice in those messages that the date and hostname/ip fields are
> repeated. This will confuse ossec. You'll have to figure out how to
> stop that.
>
