So this is the quick&dirty fix that is working for us now:
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
@@ -150,18 +150,20 @@ int OS_Alert_SendSyslog(alert_data *al_d
}
else if(syslog_config->format == CEF_CSYSLOG)
{
- snprintf(syslog_msg, OS_SIZE_2048,
-
- "<%d>%s CEF:0|%s|%s|%s|%d|%s|%d|dvc=%s cs2=%s cs2Label=Location",
- syslog_config->priority,
- tstamp,
- __author,
- __name,
- __version,
- al_data->rule,
- al_data->comment,
- (al_data->level > 10) ? 10 : al_data->level,
- __shost, al_data->location);
+ char __dhost[50];
+ memcpy(__dhost, al_data->location,50);
+ snprintf(syslog_msg, OS_SIZE_2048,
+ "<%d>%s CEF:0|%s|%s|%s|%d|%s|%d|dhost=%s cs2=%s cs2Label=Location",
+ syslog_config->priority,
+ tstamp,
+ __author,
+ __name,
+ __version,
+ al_data->rule,
+ al_data->comment,
+ (al_data->level > 10) ? 10 : al_data->level,
+ strtok(strtok(strtok(__dhost, "->"), ") "), "("), al_data->location);
+ field_add_string(syslog_msg, OS_SIZE_2048, " fname=%s", al_data->filename );
field_add_string(syslog_msg, OS_SIZE_2048, " src=%s", al_data->srcip );
#ifdef GEOIP
@@ -171,6 +173,7 @@ int OS_Alert_SendSyslog(alert_data *al_d
field_add_string(syslog_msg, OS_SIZE_2048, " suser=%s", al_data->user );
field_add_string(syslog_msg, OS_SIZE_2048, " dst=%s", al_data->dstip );
field_add_truncated(syslog_msg, OS_SIZE_2048, " msg=%s", al_data->log[0], 2 );
+ field_add_string(syslog_msg, OS_SIZE_2048, " fname=%s", al_data->filename );
if (al_data->new_md5 && al_data->new_sha1) {
field_add_string(syslog_msg, OS_SIZE_2048, " Previous MD5: %s", al_data->old_md5 );
field_add_string(syslog_msg, OS_SIZE_2048, " Current MD5: %s", al_data->new_md5 );
