Hi, I hope you reached a solution for your problem and if you did, can u share the solution with me because i am struggling with the same problem for a few days...
On Sunday, May 3, 2015 at 2:43:06 PM UTC+3, AMINE.E wrote: > > i know that snort full logs are multiple lines. And i didn't use > ossec-logtest for testing. > what i got each time, is the first line of my snort full log. I want the > others because they contain usefull data like source_ip/source_port.... > > On Sunday, May 3, 2015 at 12:56:00 AM UTC+1, dan (ddpbsd) wrote: >> >> >> On May 2, 2015 7:51 PM, "AMINE.E" <[email protected]> wrote: >> > >> > Hi >> > >> > I have noticed something with snort-full log format, that it is not >> logging the full_log into "/var/ossec/logs/alerts/alert.log". >> > it just takes the first line and logs it. And when i ran >> ossec-logcollector with debug mode i can see this : >> >> It's been a while, but aren't snort full logs multiple lines? Includijg a >> multi-line log inside a multi-line log might be a bit cumbersome. >> >> > 2015/05/03 00:22:13 ossec-logcollector: DEBUG: Reading syslog message: >> ........ >> > >> > syslog ? it is not what i have configured ossec to. Because : >> > <localfile> >> > <log_format>snort-full</log_format> >> > <location>/var/log/snort/alert</location> >> > </localfile >> > >> >> I don't think ossec-logtest pays attention to that configuration. >> >> > where might be the problem ? >> > >> >> I don't think there is one. >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
