Hi Vilius,
If you are using the OSSEC Web UI 0.3 download from ossec.net you may
want to have a look at some of the patches here on the list.
e.g. http://osdir.com/ml/ossec-list/2012-06/msg00161.html
The log format changed with version OSSEC 2.6 and broke some of the
functionality of the Web UI. I don't use it any more, so I can't say if
the changes still work with 2.7, but as long as the log formatting is
the same, it should.
On 2/2/2013 1:23 PM, Vilius Benetis wrote:
Hey,
I try to understand where exactly ossec-wui is parsing srcip, as I
have often bad parsing, for example:
2013 Feb 02 10:48:42 Rule Id: 2901
<http://www.ossec.net/wiki/index.php/Rule:2901> level: 3
Location: ubuntu->/var/log/dpkg.log
Src IP: 02 10:48:41 install libapr1 <none> 1.4.6-1
New dpkg (Debian Package) requested to install.
** Alert 1359830922.3553: - syslog,dpkg,
2013 Feb 02 10:48:42 ubuntu->/var/log/dpkg.log
Rule: 2901 (level 3) -> 'New dpkg (Debian Package) requested to install.'
2013-02-02 10:48:41 install libaprutil1 <none> 1.3.12+dfsg-3
2013 Feb 02 10:48:32 Rule Id: 5501
<http://www.ossec.net/wiki/index.php/Rule:5501> level: 3
Location: ubuntu->/var/log/auth.log
Src IP: 0:48:32 ubuntu sudo: pam_unix(sudo:session): session opened
for user root by user(uid=1000)
Login session opened.
** Alert 1359830922.3117: - syslog,dpkg,
2013 Feb 02 10:48:42 ubuntu->/var/log/dpkg.log
Rule: 2901 (level 3) -> 'New dpkg (Debian Package) requested to install.'
2013-02-02 10:48:41 install libcap2 <none> 1:2.22-1ubuntu3
this comes from local agent, but equally strange results sometimes
come from remotes as well.
I believe, that sometimes IP address cannot be extracted, but then
most probably in this field should be nothing, right?
My programming/debugging skills are very rusty, but if it is not too
tricky, I could try to adjust regexp not to fire such results, which
messes up statistics and filtering.
--
/Vilius
--
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
