Finally - someone else is having the same problem -- https://groups.google.com/d/msg/ossec-list/qwdbTHXAIwg/pDYWz9x7U8UJ
Now I can go try and fix it.. THANK YOU! ~J On Thursday, March 6, 2014 6:24:29 PM UTC-8, [email protected] wrote: > > Curiouser and curiouser: when the message comes from a remote host, the > hostname contains something like "(secure-test.foo.com) > 192.168.1.1->/var/log/secure" rather than simply "secure-test.foo.com". > Based on a comment in the source code (in > ossec-hids-2.7/src/analysisd/cleanevent.c), it looks like this may be > what's supposed to happen: > > > /* Every message must be in the format > * hostname->location or > * (agent) ip->location. > */ > > > /* Setting hostname for local messages */ > if(lf->location[0] == '(') > { > /* Messages from an agent */ > lf->hostname = lf->location; > } > else if(lf->hostname == NULL) > { > lf->hostname = __shost; > } > > > Changing the hostnames in the list to match seems to have gotten things > working. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
