On 9/30/07, Daniel Cid <[EMAIL PROTECTED]> wrote: > > Hi JM, > > I think you are confusing it a bit. The logformat in the "localfile" > configuration is only > used to tell ossec how to read the logs, not anything else. In fact, > the apache, squid, > syslog fields act the same in there (all one entry per line logs)... > > What determines the "category" of them is the decoder. If the decoder > reads a PIX > log, it will set it to the "firewall" category or if it reads a apache > log, it will set it as > web_log (look at the decoders.xml and the type tags). >
That makes sense. Thanks for the clarification. > Regarding your log, our decoder is not treating it properly as a > firewall because it has an additional hostname in there. [trim] > *btw, you can keep the additional timestamp in there, but not the > extra hostname. > Ok, so I examined the decoder.xml file and found the location that detects PIX/ASA. I then copied the lines and commented out a pair (so I could undo any damage I might cause.. :-) I added a \w+ in between the date and the %ASA-... to match the extra hostname and -- WOW! I'm getting much better alerts now! :-D > Hope it helps. > Tremendously! Thanks again. JM