Hi I'am relative new to OSSEC and ArcSight. Till now I have it working with the following options:
<syslog_output> > <server>192.186.1.100</server> > <format>cef</format> > </syslog_output> > The syslog is sending the alerts to the ArcSight server. Example mesasge: Nov 6 13:16:03 ossecsrv CEF:0|Trend Micro Inc.|OSSEC > HIDS|v2.7|5402|Successful sudo to ROOT executed|3|dvc=ossecsrv > cs2=(ossecclient) 10.64.11.188->/var/log/messages cs2Label=Location > suser=nagios msg=Nov 6 13:16:02 ossecclient sudo: nagios : TTY=unknown ; > PWD=/opt/home/nagios ; USER=root ; COMMAND=/bin/cat > /proc/linuxshield/enabled > But ArcSight needs an different format: dvc has to be the IP from the ossecsrv (192.168.1.100). dhost the hostname from the ossecclient. dst could have the IP from the ossecclient. Are there any options for the CEF Format output? regards S. Joerrens -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
