Hello Folks,
The format of OSSEC's syslog output for OSSEC clients is as typified in this example: discosco ossec: Alert Level: 10; Rule: 5712 - SSHD brute force trying to get access to the system.; Location: (lady-dev.gaga.net) 74.143.171.166->/var/log/secure; srcip: 72.55.156.23; Apr 12 22:35:40 lady-dev sshd[19838]: Invalid user recruit from 72.55.156.23 Note that the value of the location field is the FQDN of the OSSEC client host followed by its IP address - this is what we want. On the other hand, this is the format of the OSSEC syslog output for the OSSEC server itself as typified in this example: discosco ossec: Alert Level: 10; Rule: 5712 - SSHD brute force trying to get access to the system.; Location: discosco->/var/log/secure; srcip: 72.55.156.23; Apr 12 22:35:40 cricket-dev sshd[19838]: Invalid user recruit from 72.55.156.23 Note that the Location field has the relative name of the host rather than the FQDN and we really want the FQDN. Further, note that the syslog output record for the OSSEC server host does NOT include the IP address of the host. We would very much like the format of the OSSEC syslog output entries for the OSSEC server host to have the same structure as the format of the OSSEC syslog output entries for the OSSEC clients - the reason is the we are exporting the OSSEC syslog output to a syslog server where we process this output. For this reason, we need the format of the OSSEC syslog output to be consistent. Hopefully, you will make the necessary changes in the OSSEC code but if there anything I can specify in the OSSEC configuration files in the meantime? Thanks,