I think the CEF format i not correctly in implemented.
The original CEF Documentation from ArcSight ( ArcSight CEF
PDF<http://mita-tac.wikispaces.com/file/view/CEF+White+Paper+071709.pdf>)
explains the format very well.
dvc must be the IP, not the hostname, dhost the hostname where the event
occurs. (dst in my previous post should be correct)
How can i get the needed output?
I am not an C-Expert, but i found the related part in the alert.c source:
else if(syslog_config->format == CEF_CSYSLOG)
{
snprintf(syslog_msg, OS_SIZE_2048,
"<%d>%s CEF:0|%s|%s|%s|%d|%s|%d|dvc=%s cs2=%s
cs2Label=Location",
syslog_config->priority,
tstamp,
__author,
__name,
__version,
al_data->rule,
al_data->comment,
(al_data->level > 10) ? 10 : al_data->level,
__shost, al_data->location);
field_add_string(syslog_msg, OS_SIZE_2048, " src=%s",
al_data->srcip );
#ifdef GEOIP
field_add_string(syslog_msg, OS_SIZE_2048, " cs3Label=SrcCity
cs3=%s", al_data->geoipdatasrc );
field_add_string(syslog_msg, OS_SIZE_2048, " cs4Label=DstCity
cs4=%s", al_data->geoipdatadst );
#endif
field_add_string(syslog_msg, OS_SIZE_2048, " suser=%s",
al_data->user );
field_add_string(syslog_msg, OS_SIZE_2048, " dst=%s",
al_data->dstip );
field_add_truncated(syslog_msg, OS_SIZE_2048, " msg=%s",
al_data->log[0], 2 );
if (al_data->new_md5 && al_data->new_sha1) {
field_add_string(syslog_msg, OS_SIZE_2048, " Previous MD5: %s",
al_data->old_md5 );
field_add_string(syslog_msg, OS_SIZE_2048, " Current MD5: %s",
al_data->new_md5 );
field_add_string(syslog_msg, OS_SIZE_2048, " Previous SHA1:
%s", al_data->old_sha1 );
field_add_string(syslog_msg, OS_SIZE_2048, " Current SHA1: %s",
al_data->new_sha1 );
}
}
Most important the dhost entry, how do i implement it?
Thanks
S. Joerrens
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
