Hello Dan, Would you mind pointing to me which subroutine of which module I should modify? Your answer does not need to be exact - as long as I don't have to wade through the entire code :)
I told my boss I wanted to make the change on my own time but my boss was gracious about it :) On May 6, 3:55 pm, "dan (ddp)" <ddp...@gmail.com> wrote: > Hi blacklight, > > > > > > > > > > On Fri, May 6, 2011 at 3:48 PM, blacklight <vphu...@yahoo.com> wrote: > > Hello Folks, > > > The exported syslog entries from our OSSEC agent hosts have the > > following format > > > ossecserver ossec: Alert Level: 10; Rule: 5712 - SSHD brute force > > trying to get access to the system.; Location: > > (ossecclient.domain.com) 74.143.171.166->/var/log/secure; srcip: > > 72.55.156.23; Apr 12 22:35:40 ossecclient sshd[19838]: Invalid user > > recruit from 72.55.156.23 > > > The format above is the format we want for all hosts including the > > OSSEC server hosts. Note that the format above includes > > - FQDN of the OSSEC client host embedded in parentheses > > - IP address of the OSSEC client host > > > In contrast, the syslog entry from our OSSEC server host have the > > following format > > > ossecserver ossec: Alert Level: 10; Rule: 5712 - SSHD brute force > > trying to get access to the system.; Location: ossecserver->/var/log/ > > secure; srcip: 72.55.156.23; Apr 12 22:35:40 ossecserver sshd[19838]: > > Invalid user recruit from 72.55.156.23 > > > Note that the name of the OSSEC server host in the Location field is > > not FQDN, is not embedded in parentheses and does not include its > > interface IP address. We very much want the syslog entry format from > > the OSSEC server host to include all three as per the format of all > > syslog entries from all OSSEC agent hosts. And note that the FQDN is > > > Consistency in the formatting of all syslog entries from OSSEC agents > > and servers enables us to parse these entries accurately and > > predictably - yes, the parser of our syslog server is awfully limited > > in capability, which is why we need the format consistency. > > > I am hoping that you can take quick remedial action for this > > situation. In the meantime, is there anything I can do configuration- > > wise on my own short of changing the source code by myself? > > > Regards, > > You'll have to modify the source to change this behavior. If you make > the changes, forward a patch to the list.
