I'd like to clarify and add that the OSSEC server hosts Location field in discosco ossec: Alert Level: 10; Rule: 5712 - SSHD brute force trying to get access to the system.; Location: discosco->/var/log/secure; srcip: 72.55.156.23; Apr 12 22:35:40 cricket-dev sshd[19838]: Invalid user recruit from 72.55.156.23
This is the does not include the hostname in parentheses. We very much want that hostname to be in parentheses and with its IP address specified in addition to being an FQDN - Eventually, we will have multiple OSSEC server hosts running and having the hostname in FQDN format will be very helpful in the context of multiple OSSEC server hosts running. Any syslog output from an OSSEC server host should look as follows: discosco ossec: Alert Level: 10; Rule: 5712 - SSHD brute force trying to get access to the system.; Location: (discosco.lady-gaga.net) 74.143.171.166 ->/var/log/secure; srcip: 72.55.156.23; Apr 12 22:35:40 discosco sshd[19838]: Invalid user recruit from 72.55.156.23 Another clarification: I mistated the OSSEC client host example in my first post. It should have been "> The format of OSSEC's syslog output for OSSEC clients is as typified > in this example: > > client ossec: Alert Level: 10; Rule: 5712 - SSHD brute force trying > to get access to the system.; Location: (client.lady-gaga.net) > 74.143.171.166->/var/log/secure; srcip: 72.55.156.23; Apr 12 22:35:40 > client sshd[19838]: Invalid user recruit from 72.55.156.23" Sorry if I caused any confusion, On May 4, 6:53 pm, blacklight <[email protected]> wrote: > Hello Folks, > > The format of OSSEC's syslog output for OSSEC clients is as typified > in this example: > > client ossec: Alert Level: 10; Rule: 5712 - SSHD brute force trying > to get access to the system.; Location: (client.lady-gaga.net) > 74.143.171.166->/var/log/secure; srcip: 72.55.156.23; Apr 12 22:35:40 > client sshd[19838]: Invalid user recruit from 72.55.156.23 > > Note that the value of the location field is the FQDN of the OSSEC > client host followed by its IP address - this is what we want. > > On the other hand, this is the format of the OSSEC syslog output for > the OSSEC server itself as typified in this example: > > discosco ossec: Alert Level: 10; Rule: 5712 - SSHD brute force trying > to get access to the system.; Location: discosco->/var/log/secure; > srcip: 72.55.156.23; Apr 12 22:35:40 cricket-dev sshd[19838]: Invalid > user recruit from 72.55.156.23 > > Note that the Location field has the relative name of the host rather > than the FQDN and we really want the FQDN. Further, note that the > syslog output record for the OSSEC server host does NOT include the IP > address of the host. > > We would very much like the format of the OSSEC syslog output entries > for the OSSEC server host to have the same structure as the format of > the OSSEC syslog output entries for the OSSEC clients - the reason is > the we are exporting the OSSEC syslog output to a syslog server where > we process this output. For this reason, we need the format of the > OSSEC syslog output to be consistent. > > Hopefully, you will make the necessary changes in the OSSEC code but > if there anything I can specify in the OSSEC configuration files in > the meantime? > > Thanks,
