Hi, I configured GeoIp for OSSEC (http://www.ossec.net/files/ossec-hids-2.7-release-note.txt) and all seems well. No errors in ossec.log, doing a manual lookup using geoiplookup and the geoip city-database in /var/ossec/etc gives me a proper result. But the "Src Location: " field in email-alerts is still empty, also when I test a rule using ossec-logtest:
# geoiplookup -f /var/ossec/etc/GeoLiteCity.dat 173.194.66.106 GeoIP City Edition, Rev 1: US, CA, Mountain View, 94043, 37.419201, -122.057404, 807, 650 # ./ossec-logtest -a 2013/10/14 17:57:47 ossec-testrule: INFO: Reading local decoder file. 2013/10/14 17:57:47 ossec-testrule: INFO: Started (pid: 5151). Oct 14 16:08:08 demo sshd[31791]: Invalid user test from 173.194.66.106 ** Alert 1381766270.1: - syslog,sshd,invalid_login,authentication_failed, 2013 Oct 14 17:57:50 demo->stdin Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user' Src IP: 173.194.66.106 Src Location: Oct 14 16:08:08 demo sshd[31791]: Invalid user test from 173.194.66.106 The manual lookup using a google-ip shows a city, OSSEC doesn't... The server is running CentOS 5. GeoIP and OSSEC (v2.7) are installed using yum and the OSSEC AtomiCorp repository. Any ideas? OSSEC is functioning properly except for the empty field. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
