The messages at 23:04 and 23:05 were NOT from my ossec server, even though the log uses the name of my ossec server in the archive. Of these three messages, the first was from host1, the second from host2 and the third from host3.
On Wednesday, December 5, 2012 8:41:36 PM UTC-6, peng lin wrote: > > OSSEC which your hightlight is your ossec server ? > i think the alert is generate by your server . > On Thursday, December 6, 2012 7:10:44 AM UTC+8, Scott wrote: > >> Am I doing something wrong? Most of my ossec alerts have the server's >> hostname instead of the sending system's hostname. >> >> If I call my server "ossec" and other servers "host1", "host2", etc, send >> syslog UDP messages to "abc", then I may get these messages: >> >> 2012 Dec 05 23:02:08 host1->1.2.3.5 Dec 5 15:02:08 def sbn[92413]: >> testing [this one looks right] >> 2012 Dec 05 23:04:01 ossec->1.2.3.6 sbn: testing [this one does not] >> 2012 Dec 05 23:05:00 ossec->1.2.3.7 sbn: testing [this one does not] >> >> Thanks >> >
