Curiouser and curiouser: when the message comes from a remote host, the
hostname contains something like "(secure-test.foo.com)
192.168.1.1->/var/log/secure" rather than simply "secure-test.foo.com".
Based on a comment in the source code (in
ossec-hids-2.7/src/analysisd/cleanevent.c), it looks like this may be
what's supposed to happen:
/* Every message must be in the format
* hostname->location or
* (agent) ip->location.
*/
/* Setting hostname for local messages */
if(lf->location[0] == '(')
{
/* Messages from an agent */
lf->hostname = lf->location;
}
else if(lf->hostname == NULL)
{
lf->hostname = __shost;
}
Changing the hostnames in the list to match seems to have gotten things
working.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
