On Wed, Aug 13, 2014 at 9:35 AM, Patrick S <[email protected]> wrote: > I've searched the decoder.xml file but there doesn't appear to be a field > (shown below) that would permit that. I'm guessing you won't know at the > top of your head but just through to post this update in case any out there > has came across this same problem. >
Look in src/analysisd/decoders. I think it'll be in there. > - Allowed fields: > - location - where the log came from (only on FTS) > - srcuser - extracts the source username > - dstuser - extracts the destination (target) username > - user - an alias to dstuser (only one of the two can be used) > - srcip - source ip > - dstip - dst ip > - srcport - source port > - dstport - destination port > - protocol - protocol > - id - event id > - url - url of the event > - action - event action (deny, drop, accept, etc) > - status - event status (success, failure, etc) > - extra_data - Any extra data > > On Monday, August 4, 2014 5:31:44 PM UTC+1, dan (ddpbsd) wrote: >> >> On Mon, Aug 4, 2014 at 12:28 PM, Patrick S <[email protected]> wrote: >> > Thanks for your reply; however in this case it's the server itself. So >> > I'm >> > not sure if there's something else that can be modified to show the >> > servers >> > IP. >> > >> >> Modify the source code to display the IP instead of the name. >> >> > >> > On Monday, August 4, 2014 1:28:05 PM UTC+1, dan (ddpbsd) wrote: >> >> >> >> On Sun, Aug 3, 2014 at 7:37 AM, Patrick S <[email protected]> wrote: >> >> > In the below alert segment "Ubuntu" is displayed, how can I change it >> >> > so >> >> > the >> >> > alert displays the IP address of that computer for every alert? >> >> > >> >> > 2014 Jul 20 06:29:00 ubuntu->/var/log/auth.log >> >> > >> >> >> >> I think that's the agent name given to the system when you added it >> >> via manage_agents. Change that to the IP instead of the hostname, and >> >> it should work. >> >> >> >> > Thanks :) >> >> > >> >> > -- >> >> > >> >> > --- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "ossec-list" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups >> > "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
