I don't know the answer to that. I haven't looked at the code far enough in depth for that. I'd start by looking in src/os_csyslogd
On Mon, May 9, 2011 at 12:20 PM, blacklight <vphu...@yahoo.com> wrote: > Hello Dan, > > Would you mind pointing to me which subroutine of which module I > should modify? Your answer does not need to be exact - as long as I > don't have to wade through the entire code :) > > I told my boss I wanted to make the change on my own time but my boss > was gracious about it :) > > On May 6, 3:55 pm, "dan (ddp)" <ddp...@gmail.com> wrote: >> Hi blacklight, >> >> >> >> >> >> >> >> >> >> On Fri, May 6, 2011 at 3:48 PM, blacklight <vphu...@yahoo.com> wrote: >> > Hello Folks, >> >> > The exported syslog entries from our OSSEC agent hosts have the >> > following format >> >> > ossecserver ossec: Alert Level: 10; Rule: 5712 - SSHD brute force >> > trying to get access to the system.; Location: >> > (ossecclient.domain.com) 74.143.171.166->/var/log/secure; srcip: >> > 72.55.156.23; Apr 12 22:35:40 ossecclient sshd[19838]: Invalid user >> > recruit from 72.55.156.23 >> >> > The format above is the format we want for all hosts including the >> > OSSEC server hosts. Note that the format above includes >> > - FQDN of the OSSEC client host embedded in parentheses >> > - IP address of the OSSEC client host >> >> > In contrast, the syslog entry from our OSSEC server host have the >> > following format >> >> > ossecserver ossec: Alert Level: 10; Rule: 5712 - SSHD brute force >> > trying to get access to the system.; Location: ossecserver->/var/log/ >> > secure; srcip: 72.55.156.23; Apr 12 22:35:40 ossecserver sshd[19838]: >> > Invalid user recruit from 72.55.156.23 >> >> > Note that the name of the OSSEC server host in the Location field is >> > not FQDN, is not embedded in parentheses and does not include its >> > interface IP address. We very much want the syslog entry format from >> > the OSSEC server host to include all three as per the format of all >> > syslog entries from all OSSEC agent hosts. And note that the FQDN is >> >> > Consistency in the formatting of all syslog entries from OSSEC agents >> > and servers enables us to parse these entries accurately and >> > predictably - yes, the parser of our syslog server is awfully limited >> > in capability, which is why we need the format consistency. >> >> > I am hoping that you can take quick remedial action for this >> > situation. In the meantime, is there anything I can do configuration- >> > wise on my own short of changing the source code by myself? >> >> > Regards, >> >> You'll have to modify the source to change this behavior. If you make >> the changes, forward a patch to the list.
