Thanks, Jared. I'm using ossec in security onion environment. Labels -
great idea as for me. As i can see, labels not implemented in ossec.
Thanks, Dan. I've opened an issue.
On Tue, May 8, 2018 at 5:14 AM dan (ddp) wrote:
> On Mon, May 7, 2018 at 10:13 PM, dan (ddp)
On Mon, May 7, 2018 at 10:13 PM, dan (ddp) wrote:
> On Mon, May 7, 2018 at 2:57 AM, Александр Канайкин
> wrote:
>> Hi guys!
>>
>> Is there an ability to configure resolving hostname in alert from syslog
>> device (not an agent)?
>>
>> For example can :
On Mon, May 7, 2018 at 2:57 AM, Александр Канайкин
wrote:
> Hi guys!
>
> Is there an ability to configure resolving hostname in alert from syslog
> device (not an agent)?
>
> For example can :
>
> Received From: ids->10.10.19.1
>
> look like
>
>
> Received From:
Hello,
If it helps, we use labels (Wazuh) on every agent so that we have the host name
for every log, even if the host name and ip are not in the logs. We have our
own agent that installs the ossec, Nessus and all beats agents and populates
the labels automatically for all of our customers.
Thanks anyway. Still searching for resolution.
On Mon, May 7, 2018, 21:36 David Lang wrote:
> Sorry, I'm replying to a different mailing list than I thought I was (I
> thought
> I was replying to a message on the rsyslog mailing list)
>
> On Mon, 7 May 2018, David Lang wrote:
>
>
Sorry, I'm replying to a different mailing list than I thought I was (I thought
I was replying to a message on the rsyslog mailing list)
On Mon, 7 May 2018, David Lang wrote:
please log some message using the template RSYSLOG_DebugFormat so that we can
see what variables are in there.
There
please log some message using the template RSYSLOG_DebugFormat so that we can
see what variables are in there.
There is not a direct way to call name resolution if you have an IP address in
the content, but you could use a table lookup.
David Lang
Hi guys!
Is there an ability to configure resolving hostname in alert from syslog
device (not an agent)?
For example can :
Received From: ids->10.10.19.1
look like
Received From: ids->asa123
or
Received From: ids->asa123.example.com
Thanks in advance.
--
---
You received this