On Thu, Sep 24, 2015 at 5:18 PM, Ben <[email protected]> wrote: > Glen, > > Any advice on changing rsyslog format from hostname to IP addresses? I am > running on CentOS 6.5, and wanting to change the log hostname to IP address, > so I can pass the variable to AR command, then I will get to your same > problem:-) Thanks. >
The syslog host (in the syslog header) isn't part of the "log message" that OSSEC investigates, and won't be used in AR. > > On Monday, February 9, 2015 at 5:13:35 PM UTC-5, Glen Leeder wrote: >> >> Thanks Dan, >> >> I've changed my rsyslog format to IP addresses instead of hosts and all is >> good. >> >> Do you know whether the <white_list> directive requires that >> <expect>srcip</expect> is specified or will it work without that? >> >> Glen >> >> On Monday, February 9, 2015 at 11:08:11 PM UTC+10, dan (ddpbsd) wrote: >>> >>> On Mon, Feb 9, 2015 at 4:26 AM, Glen Leeder <[email protected]> wrote: >>> > Hi, >>> > >>> > I using ossec 2.8.1 on Ubuntu 14.04 running locally only, no agents. I >>> > have >>> > the following local_rules.xml defined to exercise syslog monitoring : >>> > $ sudo more /var/ossec/rules/local_rules.xml >>> > <group name="ossectester,local"> >>> > <rule id="100000" level="5"> >>> > <match>OSSEC-TESTER-RULE</match> >>> > <description>OSSEC Test Alert</description> >>> > </rule> >>> > </group> >>> > >>> > When this rule triggers (by running 'logger "OSSEC-TESTER-RULE"), an >>> > active >>> > response is executed due to this ossec.conf: >>> > <command> >>> > <name>post2slack</name> >>> > <executable>ar_slack.sh</executable> >>> > <expect></expect> >>> > <timeout_allowed>no</timeout_allowed> >>> > </command> >>> > >>> > <active-response> >>> > <command>post2slack</command> >>> > <location>local</location> >>> > <level>4</level> >>> > </active-response> >>> > >>> > This works as expected provided I do not populate the command <expect> >>> > field. If I specify <expect>srcip</expect> the alert still triggers, >>> > however, the active response is no longer executed. the syslog entry >>> > ends up >>> > as something like: >>> > Feb 9 19:19:53 myhostname gleeder: OSSEC-TESTER-RULE >>> > >>> >>> There is no IP in this log message to be decoded, so it makes sense >>> that AR won't be triggered if it expects there to be a source ip. >>> >>> > I can't determine from the documentation whether this should work or >>> > not. >>> > myhostname resolves to 127.0.0.1 but I haven't got any white_list IPs >>> > specified anyway (my end goal is a to have some white_listing which is >>> > why I >>> > specified srcip). >>> > >>> > Is there an implicit white_list default or another reason why >>> > specifying >>> > srcip causes the response to no longer execute? >>> > Is <expect>srcip</expect> required for white_list to work? >>> > >>> > Best regards, >>> > Glen >>> > >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> > Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> > an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
