>> The messages at 23:04 and 23:05 were NOT from my ossec server, even though >> the log uses the name of my ossec server in the archive. >> Of these three messages, the first was from host1, the second from host2 and >> the third from host3. > > These were in archives.log? Or alerts.log? What does the other source say? > How were they sent to the server? > Are host[123] agents?
These are in archives.log and, when an alert is generated, also in alerts.log. These hosts are sending data to server using syslog udp 514, and are not agents (some can be made into agents when I have time, but others cannot). >> On Wednesday, December 5, 2012 8:41:36 PM UTC-6, peng lin wrote: >>> >>> OSSEC which your hightlight is your ossec server ? >>> i think the alert is generate by your server . >>> On Thursday, December 6, 2012 7:10:44 AM UTC+8, Scott wrote: >>>> >>>> Am I doing something wrong? Most of my ossec alerts have the server's >>>> hostname instead of the sending system's hostname. >>>> >>>> If I call my server "ossec" and other servers "host1", "host2", etc, send >>>> syslog UDP messages to "abc", then I may get these messages: >>>> >>>> 2012 Dec 05 23:02:08 host1->1.2.3.5 Dec 5 15:02:08 def sbn[92413]: >>>> testing [this one looks right] >>>> 2012 Dec 05 23:04:01 ossec->1.2.3.6 sbn: testing [this one does not] >>>> 2012 Dec 05 23:05:00 ossec->1.2.3.7 sbn: testing [this one does not] >>>> >>>> Thanks
