On Dec 5, 2012, at 5:56 PM, dan (ddp) wrote: >> 2012 Dec 05 23:02:08 host1->1.2.3.5 Dec 5 15:02:08 def sbn[92413]: testing >> [this one looks right] >> 2012 Dec 05 23:04:01 ossec->1.2.3.6 sbn: testing [this one does not] >> 2012 Dec 05 23:05:00 ossec->1.2.3.7 sbn: testing [this one does not] >> > I have no idea what this means. > The part of the log line before the "->" is on my other ossec system the host that is sending the log entry. If I receive log entries from "host1" then I'd get messages that are archived as host1->ipaddress, and messages from host2 would be host2->ipaddress, etc.
On this system, most (but strangely not all) messages have as the hostname (the part before the "->") the name of the ossec server host. The IP addresses are correct. I assume this will affect my ability to match based on the sending host.
