On Thu, Dec 6, 2012 at 9:56 AM, Scott <[email protected]> wrote: > The messages at 23:04 and 23:05 were NOT from my ossec server, even though > the log uses the name of my ossec server in the archive. > Of these three messages, the first was from host1, the second from host2 and > the third from host3. >
These were in archives.log? Or alerts.log? What does the other source say? How were they sent to the server? Are host[123] agents? > > On Wednesday, December 5, 2012 8:41:36 PM UTC-6, peng lin wrote: >> >> OSSEC which your hightlight is your ossec server ? >> i think the alert is generate by your server . >> On Thursday, December 6, 2012 7:10:44 AM UTC+8, Scott wrote: >>> >>> Am I doing something wrong? Most of my ossec alerts have the server's >>> hostname instead of the sending system's hostname. >>> >>> If I call my server "ossec" and other servers "host1", "host2", etc, send >>> syslog UDP messages to "abc", then I may get these messages: >>> >>> 2012 Dec 05 23:02:08 host1->1.2.3.5 Dec 5 15:02:08 def sbn[92413]: >>> testing [this one looks right] >>> 2012 Dec 05 23:04:01 ossec->1.2.3.6 sbn: testing [this one does not] >>> 2012 Dec 05 23:05:00 ossec->1.2.3.7 sbn: testing [this one does not] >>> >>> Thanks
