Re: [ossec-list] Hostname instead of ip in alert from syslog-device

2018-05-08 Thread Александр Канайкин
Thanks, Jared. I'm using ossec in security onion environment. Labels - great idea as for me. As i can see, labels not implemented in ossec. Thanks, Dan. I've opened an issue. On Tue, May 8, 2018 at 5:14 AM dan (ddp) wrote: > On Mon, May 7, 2018 at 10:13 PM, dan (ddp)

Re: [ossec-list] Hostname instead of ip in alert from syslog-device

2018-05-07 Thread dan (ddp)
On Mon, May 7, 2018 at 10:13 PM, dan (ddp) wrote: > On Mon, May 7, 2018 at 2:57 AM, Александр Канайкин > wrote: >> Hi guys! >> >> Is there an ability to configure resolving hostname in alert from syslog >> device (not an agent)? >> >> For example can :

Re: [ossec-list] Hostname instead of ip in alert from syslog-device

2018-05-07 Thread dan (ddp)
On Mon, May 7, 2018 at 2:57 AM, Александр Канайкин wrote: > Hi guys! > > Is there an ability to configure resolving hostname in alert from syslog > device (not an agent)? > > For example can : > > Received From: ids->10.10.19.1 > > look like > > > Received From:

Re: [ossec-list] Hostname instead of ip in alert from syslog-device

2018-05-07 Thread Jared Greene
Hello, If it helps, we use labels (Wazuh) on every agent so that we have the host name for every log, even if the host name and ip are not in the logs. We have our own agent that installs the ossec, Nessus and all beats agents and populates the labels automatically for all of our customers.

Re: [ossec-list] Hostname instead of ip in alert from syslog-device

2018-05-07 Thread Александр Канайкин
Thanks anyway. Still searching for resolution. On Mon, May 7, 2018, 21:36 David Lang wrote: > Sorry, I'm replying to a different mailing list than I thought I was (I > thought > I was replying to a message on the rsyslog mailing list) > > On Mon, 7 May 2018, David Lang wrote: > >

Re: [ossec-list] Hostname instead of ip in alert from syslog-device

2018-05-07 Thread David Lang
Sorry, I'm replying to a different mailing list than I thought I was (I thought I was replying to a message on the rsyslog mailing list) On Mon, 7 May 2018, David Lang wrote: please log some message using the template RSYSLOG_DebugFormat so that we can see what variables are in there. There

Re: [ossec-list] Hostname instead of ip in alert from syslog-device

2018-05-07 Thread David Lang
please log some message using the template RSYSLOG_DebugFormat so that we can see what variables are in there. There is not a direct way to call name resolution if you have an IP address in the content, but you could use a table lookup. David Lang

[ossec-list] Hostname instead of ip in alert from syslog-device

2018-05-07 Thread Александр Канайкин
Hi guys! Is there an ability to configure resolving hostname in alert from syslog device (not an agent)? For example can : Received From: ids->10.10.19.1 look like Received From: ids->asa123 or Received From: ids->asa123.example.com Thanks in advance. -- --- You received this