Yes I did, except for the compiling. The compiled version of OSSEC from the repository came with "maild.geoip=1" by default.
I configured ossec.conf the way you showed below and ossec.log does not complain about the added XML-tags. So I assume OSSEC understands the tags and it does show the 'Src Location: ' in the alerts and alert-emails. So it understands the configuration but it does not fill the field... Op dinsdag 15 oktober 2013 00:28:07 UTC+2 schreef Jb Cheng: > > Did you do the step 3 of the GeoIP procedure shown in 2.7-release-note? > - - - > > Step 3. Compile OSSEC with GeoIP enabled, modify config > get ossec-hids-2.7.tar.gz > tar xzvf ossec-hids-2.7.tar.gz > cd ossec-hids-2.7 > cd src > make setgeoip > cd .. > su > ./install.sh > > ------ modify etc/ossec.conf > <ossec_config> > <global> > <!-- to specify GeoIP database file location --> > <geoip_db_path>/etc/GeoLiteCity.dat</geoip_db_path> > <geoip6_db_path>/etc/GeoLiteCityv6.dat</geoip6_db_path> > </global> > > <alerts> > <!-- to add GeoIP info in alerts --> > <use_geoip>yes</use_geoip> > </alerts> > </ossec_config> > > ------ update etc/internal_options.conf > # Maild display GeoIP data (0=disabled, 1=enabled) > maild.geoip=1 > > ------ restart OSSEC > /var/ossec/bin/ossec-control restart > > > On Monday, October 14, 2013 9:11:01 AM UTC-7, Bernard wrote: >> >> Hi, >> >> I configured GeoIp for OSSEC ( >> http://www.ossec.net/files/ossec-hids-2.7-release-note.txt) and all >> seems well. >> No errors in ossec.log, doing a manual lookup using geoiplookup and the >> geoip city-database in /var/ossec/etc gives me a proper result. >> But the "Src Location: " field in email-alerts is still empty, also when >> I test a rule using ossec-logtest: >> >> >> # geoiplookup -f /var/ossec/etc/GeoLiteCity.dat 173.194.66.106 >> GeoIP City Edition, Rev 1: US, CA, Mountain View, 94043, 37.419201, >> -122.057404, 807, 650 >> >> >> # ./ossec-logtest -a >> 2013/10/14 17:57:47 ossec-testrule: INFO: Reading local decoder file. >> 2013/10/14 17:57:47 ossec-testrule: INFO: Started (pid: 5151). >> Oct 14 16:08:08 demo sshd[31791]: Invalid user test from 173.194.66.106 >> ** Alert 1381766270.1: - syslog,sshd,invalid_login,authentication_failed, >> 2013 Oct 14 17:57:50 demo->stdin >> Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user' >> Src IP: 173.194.66.106 >> Src Location: >> Oct 14 16:08:08 demo sshd[31791]: Invalid user test from 173.194.66.106 >> >> >> The manual lookup using a google-ip shows a city, OSSEC doesn't... >> >> The server is running CentOS 5. GeoIP and OSSEC (v2.7) are installed >> using yum and the OSSEC AtomiCorp repository. >> >> >> Any ideas? OSSEC is functioning properly except for the empty field. >> >> >> -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
