Hi Dave, It is probably related to the format of the messages that OSSEC can't decode/parse properly.
You need to follow these recommendations: http://ossec.net/wiki/index.php/PIX_and_IOS_Syslog_Config_examples#Configuring_PIX Specially: > no names > no logging device-id > no logging timestamp If that's not the issue, can you show us some of the logs that are not working properly? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Tue, Aug 4, 2009 at 6:43 PM, <[email protected]> wrote: > Hello List, > Recently we re-worked some of our network and it involved changing the > address of the firewall. The firewall is an ASA reporting syslog to the > ossec machine. It is the only device that I have configured in allowed ips > in the ossec.conf file. The ossec box address stayed the same. Now instead > of getting for example "PIX error message" or "PIX warning message" every > event from the FW is "unknown error somewhere in the system". I was > thinking that maybe this is a key issue in the ossec box? Anybody > experienced this? > > V/r, > Dave
