[ossec-list] Re: Empty "Src Location: " in alert using GeoIP while srcip is found

Mon, 14 Oct 2013 15:37:45 -0700 

Did you do the step 3 of the GeoIP procedure shown in 2.7-release-note? 
- - -

 Step 3. Compile OSSEC with GeoIP enabled, modify config
    get ossec-hids-2.7.tar.gz
    tar xzvf ossec-hids-2.7.tar.gz
    cd ossec-hids-2.7
    cd src
    make setgeoip
    cd ..
    su
    ./install.sh

  ------ modify etc/ossec.conf
  <ossec_config>
     <global>
         <!-- to specify GeoIP database file location -->
         <geoip_db_path>/etc/GeoLiteCity.dat</geoip_db_path>
         <geoip6_db_path>/etc/GeoLiteCityv6.dat</geoip6_db_path>
     </global>

     <alerts>
         <!-- to add GeoIP info in alerts -->
         <use_geoip>yes</use_geoip>
      </alerts>
  </ossec_config>

  ------ update etc/internal_options.conf
  # Maild display GeoIP data (0=disabled, 1=enabled)
  maild.geoip=1

  ------ restart OSSEC
    /var/ossec/bin/ossec-control restart


On Monday, October 14, 2013 9:11:01 AM UTC-7, Bernard wrote:
>
> Hi,
>
> I configured GeoIp for OSSEC (
> http://www.ossec.net/files/ossec-hids-2.7-release-note.txt) and all seems 
> well.
> No errors in ossec.log, doing a manual lookup using geoiplookup and the 
> geoip city-database in /var/ossec/etc gives me a proper result.
> But the "Src Location: " field in email-alerts is still empty, also when I 
> test a rule using ossec-logtest:
>
>
> # geoiplookup -f /var/ossec/etc/GeoLiteCity.dat 173.194.66.106
> GeoIP City Edition, Rev 1: US, CA, Mountain View, 94043, 37.419201, 
> -122.057404, 807, 650
>
>
> # ./ossec-logtest -a
> 2013/10/14 17:57:47 ossec-testrule: INFO: Reading local decoder file.
> 2013/10/14 17:57:47 ossec-testrule: INFO: Started (pid: 5151).
> Oct 14 16:08:08 demo sshd[31791]: Invalid user test from 173.194.66.106
> ** Alert 1381766270.1: - syslog,sshd,invalid_login,authentication_failed,
> 2013 Oct 14 17:57:50 demo->stdin
> Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user'
> Src IP: 173.194.66.106
> Src Location:  
> Oct 14 16:08:08 demo sshd[31791]: Invalid user test from 173.194.66.106
>
>
> The manual lookup using a google-ip shows a city, OSSEC doesn't...
>
> The server is running CentOS 5. GeoIP and OSSEC (v2.7) are installed using 
> yum and the OSSEC AtomiCorp repository.
>
>
> Any ideas? OSSEC is functioning properly except for the empty field.
>
>
>

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to