Hello Folks,
The exported syslog entries from our OSSEC agent hosts have the following format ossecserver ossec: Alert Level: 10; Rule: 5712 - SSHD brute force trying to get access to the system.; Location: (ossecclient.domain.com) 74.143.171.166->/var/log/secure; srcip: 72.55.156.23; Apr 12 22:35:40 ossecclient sshd[19838]: Invalid user recruit from 72.55.156.23 The format above is the format we want for all hosts including the OSSEC server hosts. Note that the format above includes - FQDN of the OSSEC client host embedded in parentheses - IP address of the OSSEC client host In contrast, the syslog entry from our OSSEC server host have the following format ossecserver ossec: Alert Level: 10; Rule: 5712 - SSHD brute force trying to get access to the system.; Location: ossecserver->/var/log/ secure; srcip: 72.55.156.23; Apr 12 22:35:40 ossecserver sshd[19838]: Invalid user recruit from 72.55.156.23 Note that the name of the OSSEC server host in the Location field is not FQDN, is not embedded in parentheses and does not include its interface IP address. We very much want the syslog entry format from the OSSEC server host to include all three as per the format of all syslog entries from all OSSEC agent hosts. And note that the FQDN is Consistency in the formatting of all syslog entries from OSSEC agents and servers enables us to parse these entries accurately and predictably - yes, the parser of our syslog server is awfully limited in capability, which is why we need the format consistency. I am hoping that you can take quick remedial action for this situation. In the meantime, is there anything I can do configuration- wise on my own short of changing the source code by myself? Regards,
