https://github.com/ossec/ossec-hids/issues/147 To track this issue. I am not able to reproduce it at this time, but I will be using this to test some more. Please follow the github issue if you want to follow along with up dates.
On Thursday, March 6, 2014 9:24:29 PM UTC-5, [email protected] wrote: > > Curiouser and curiouser: when the message comes from a remote host, the > hostname contains something like "(secure-test.foo.com) > 192.168.1.1->/var/log/secure" rather than simply "secure-test.foo.com". > Based on a comment in the source code (in > ossec-hids-2.7/src/analysisd/cleanevent.c), it looks like this may be > what's supposed to happen: > > > /* Every message must be in the format > * hostname->location or > * (agent) ip->location. > */ > > > /* Setting hostname for local messages */ > if(lf->location[0] == '(') > { > /* Messages from an agent */ > lf->hostname = lf->location; > } > else if(lf->hostname == NULL) > { > lf->hostname = __shost; > } > > > Changing the hostnames in the list to match seems to have gotten things > working. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
