I've searched the decoder.xml file but there doesn't appear to be a field (shown below) that would permit that. I'm guessing you won't know at the top of your head but just through to post this update in case any out there has came across this same problem.
- Allowed fields: - location - where the log came from (only on FTS) - srcuser - extracts the source username - dstuser - extracts the destination (target) username - user - an alias to dstuser (only one of the two can be used) - srcip - source ip - dstip - dst ip - srcport - source port - dstport - destination port - protocol - protocol - id - event id - url - url of the event - action - event action (deny, drop, accept, etc) - status - event status (success, failure, etc) - extra_data - Any extra data On Monday, August 4, 2014 5:31:44 PM UTC+1, dan (ddpbsd) wrote: > > On Mon, Aug 4, 2014 at 12:28 PM, Patrick S <[email protected] > <javascript:>> wrote: > > Thanks for your reply; however in this case it's the server itself. So > I'm > > not sure if there's something else that can be modified to show the > servers > > IP. > > > > Modify the source code to display the IP instead of the name. > > > > > On Monday, August 4, 2014 1:28:05 PM UTC+1, dan (ddpbsd) wrote: > >> > >> On Sun, Aug 3, 2014 at 7:37 AM, Patrick S <[email protected]> wrote: > >> > In the below alert segment "Ubuntu" is displayed, how can I change it > so > >> > the > >> > alert displays the IP address of that computer for every alert? > >> > > >> > 2014 Jul 20 06:29:00 ubuntu->/var/log/auth.log > >> > > >> > >> I think that's the agent name given to the system when you added it > >> via manage_agents. Change that to the IP instead of the hostname, and > >> it should work. > >> > >> > Thanks :) > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
