Well. Is it possible to run ossec decoder with active-response on remote ossec-client directly? In that case I don't need to use syslog-ng collector and "hostname" variable.
Where should I put the rules? On ossec-server and the rules should be automatically deployed on each remote client? Or I should configure each client to use these rules? понедельник, 17 сентября 2012 г., 17:20:14 UTC+4 пользователь dan (ddpbsd) написал: > > On Mon, Sep 17, 2012 at 9:14 AM, kay kay <[email protected] <javascript:>> > wrote: > > Unfortunately I don't need srcip, I need hostname which was generated in > log > > file. Is there any possibility to parse it? At the moment I can't regexp > > whole log file but only starting from "[Wed Sep" > > > > The only way will be to modify the source. > >
