I'm looking at using syslog from the OSSEC server to a web frontend of a sort, and I'm not sure they're the best format they could be. That said, I also don't know if part of it is the syslog standard.
It seems to me that the source_host should be the OSSEC location, not the server where OSSEC is installed for instance. It would also seem to make sense if the severity for syslog was mapped as much as possible between the OSSEC level and for syslog... -- James Pulver Information Technology Area Supervisor LEPP Computer Group Cornell University
