On Nov 7, 2013 7:41 AM, "Stephan Joerrens" <[email protected]> wrote: > > I think the CEF format i not correctly in implemented. > The original CEF Documentation from ArcSight ( ArcSight CEF PDF ) explains the format very well. > dvc must be the IP, not the hostname, dhost the hostname where the event occurs. (dst in my previous post should be correct) > How can i get the needed output? > I am not an C-Expert, but i found the related part in the alert.c source: > >> else if(syslog_config->format == CEF_CSYSLOG) >> { >> snprintf(syslog_msg, OS_SIZE_2048, >> >> "<%d>%s CEF:0|%s|%s|%s|%d|%s|%d|dvc=%s cs2=%s cs2Label=Location", >> syslog_config->priority, >> tstamp, >> __author, >> __name, >> __version, >> al_data->rule, >> al_data->comment, >> (al_data->level > 10) ? 10 : al_data->level, >> __shost, al_data->location); >> >> field_add_string(syslog_msg, OS_SIZE_2048, " src=%s", al_data->srcip ); >> #ifdef GEOIP >> field_add_string(syslog_msg, OS_SIZE_2048, " cs3Label=SrcCity cs3=%s", al_data->geoipdatasrc ); >> field_add_string(syslog_msg, OS_SIZE_2048, " cs4Label=DstCity cs4=%s", al_data->geoipdatadst ); >> #endif >> field_add_string(syslog_msg, OS_SIZE_2048, " suser=%s", al_data->user ); >> field_add_string(syslog_msg, OS_SIZE_2048, " dst=%s", al_data->dstip ); >> field_add_truncated(syslog_msg, OS_SIZE_2048, " msg=%s", al_data->log[0], 2 ); >> if (al_data->new_md5 && al_data->new_sha1) { >> field_add_string(syslog_msg, OS_SIZE_2048, " Previous MD5: %s", al_data->old_md5 ); >> field_add_string(syslog_msg, OS_SIZE_2048, " Current MD5: %s", al_data->new_md5 ); >> field_add_string(syslog_msg, OS_SIZE_2048, " Previous SHA1: %s", al_data->old_sha1 ); >> field_add_string(syslog_msg, OS_SIZE_2048, " Current SHA1: %s", al_data->new_sha1 ); >> } >> } > > > Most important the dhost entry, how do i implement it? >
Fix the code, submit a patch. > Thanks > S. Joerrens > > -- > > --- > You received this message because you are subscribed to the Google Groups "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
