On Wed, 20 Jul 2011 14:51:43 -0400, James M Pulver wrote:
I'm looking at using syslog from the OSSEC server to a web frontend
of a sort, and I'm not sure they're the best format they could be.
That said, I also don't know if part of it is the syslog standard.
It seems to me that the source_host should be the OSSEC location, not
the server where OSSEC is installed for instance. It would also seem
to make sense if the severity for syslog was mapped as much as
possible between the OSSEC level and for syslog...
I took a look at the source and it seems like the issue here is that
the agent name is defined in the location, which is already in the
syslog output, but it is formatted in such a way that it would break the
syslog. For example: (host1) 172.16.0.1->WinEvtLog. The agent name would
have to come from something else or it would have to be preprocessed in
some way. Also, someone might have several ossec managers, and it
actually is ossec that sends the alerts, so in a way it is correct. But
I see your point.
--
Michael Starks
[I] Immutable Security
http://www.immutablesecurity.com
