Re: [ossec-list] syslog-ng and fields in log file

Mon, 29 Mar 2010 07:23:00 -0700 

Run this message through /var/ossec/bin/ossec-logtest
Writing a decoder for this shouldn't be too difficult.
There isn't really a srcip for this event (if I'm reading it right).
The event looks like a local event (local to the agent that reported
it), so there wouldn't be a srcip involved.

On Sun, Mar 28, 2010 at 5:15 PM, Davide D'Amico <davide.dam...@gmail.com> wrote:
> Hi,
> i'm using syslog-ng to collect and centralize logs management.
>
> Syslog is configured:
>
> [...]
> destination d_ossec {
>  udp(127.0.0.1, destport(1025) spoof_source(yes) template($MSG));
> };
>
> source s_network {
>        udp();
>        tcp(port(514) max-connections(1000));
> };
>
>
> log {
>  source(s_network);
>  filter(f_network6);
>  destination(d_ossec);
> };
>
>
> [...]
>
> Well, I receive in syslog log file:
>
> r...@newton:/var/ossec/logs/alerts# tail -1
> /usr/local/logs/network7/esx.housing.tomato.lan/2010/03/28/local6.log
> Mar 28 21:11:33 esx.housing.tomato.lan vmkernel: 18:11:01:08.770
> cpu1:921599)WARNING: UserObj: 565: Failed to crossdup fd 1, fs: def5
> oid: 1700000003000000b type CHAR: Would block
>
> While I see in alerts.log:
>
> ** Alert 1269810692.31088430: - syslog,errors,
> 2010 Mar 28 23:11:32 newton->172.16.7.120
> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.'
> Src IP: (none)
> User: (none)
> vmkernel: 18:11:01:08.770 cpu1:921599)WARNING: UserObj: 565: Failed to
> crossdup fd 1, fs: def5 oid: 1700000003000000b type CHAR: Would block
>
> Why I see Src IP and User empty? I mean, I can understand an empty
> username (it's a remote event), but why Src IP is empty?
>
> Rule 1002 is:
>
>  <rule id="1002" level="2">
>    <match>$BAD_WORDS</match>
>    <description>Unknown problem somewhere in the system.</description>
>  </rule>
>
>
> Thanks,
> --
> d.
>
> To unsubscribe from this group, send email to 
> ossec-list+unsubscribegooglegroups.com or reply to this email with the words 
> "REMOVE ME" as the subject.
>

To unsubscribe from this group, send email to 
ossec-list+unsubscribegooglegroups.com or reply to this email with the words 
"REMOVE ME" as the subject.

Reply via email to