OSSEC which your hightlight is your ossec server ? i think the alert is generate by your server . On Thursday, December 6, 2012 7:10:44 AM UTC+8, Scott wrote:
> Am I doing something wrong? Most of my ossec alerts have the server's > hostname instead of the sending system's hostname. > > If I call my server "ossec" and other servers "host1", "host2", etc, send > syslog UDP messages to "abc", then I may get these messages: > > 2012 Dec 05 23:02:08 host1->1.2.3.5 Dec 5 15:02:08 def sbn[92413]: > testing[this one looks right] > 2012 Dec 05 23:04:01 ossec->1.2.3.6 sbn: testing [this one does not] > 2012 Dec 05 23:05:00 ossec->1.2.3.7 sbn: testing [this one does not] > > Thanks >
