Hi blacklight, On Fri, May 6, 2011 at 3:48 PM, blacklight <vphu...@yahoo.com> wrote: > Hello Folks, > > > The exported syslog entries from our OSSEC agent hosts have the > following format > > ossecserver ossec: Alert Level: 10; Rule: 5712 - SSHD brute force > trying to get access to the system.; Location: > (ossecclient.domain.com) 74.143.171.166->/var/log/secure; srcip: > 72.55.156.23; Apr 12 22:35:40 ossecclient sshd[19838]: Invalid user > recruit from 72.55.156.23 > > The format above is the format we want for all hosts including the > OSSEC server hosts. Note that the format above includes > - FQDN of the OSSEC client host embedded in parentheses > - IP address of the OSSEC client host > > > In contrast, the syslog entry from our OSSEC server host have the > following format > > ossecserver ossec: Alert Level: 10; Rule: 5712 - SSHD brute force > trying to get access to the system.; Location: ossecserver->/var/log/ > secure; srcip: 72.55.156.23; Apr 12 22:35:40 ossecserver sshd[19838]: > Invalid user recruit from 72.55.156.23 > > Note that the name of the OSSEC server host in the Location field is > not FQDN, is not embedded in parentheses and does not include its > interface IP address. We very much want the syslog entry format from > the OSSEC server host to include all three as per the format of all > syslog entries from all OSSEC agent hosts. And note that the FQDN is > > Consistency in the formatting of all syslog entries from OSSEC agents > and servers enables us to parse these entries accurately and > predictably - yes, the parser of our syslog server is awfully limited > in capability, which is why we need the format consistency. > > I am hoping that you can take quick remedial action for this > situation. In the meantime, is there anything I can do configuration- > wise on my own short of changing the source code by myself? > > Regards, >
You'll have to modify the source to change this behavior. If you make the changes, forward a patch to the list.