On 9/30/07, Daniel Cid [EMAIL PROTECTED] wrote:
Hi JM,
I think you are confusing it a bit. The logformat in the localfile
configuration is only
used to tell ossec how to read the logs, not anything else. In fact,
the apache, squid,
syslog fields act the same in there (all one entry per line logs)...
What determines the category of them is the decoder. If the decoder
reads a PIX
log, it will set it to the firewall category or if it reads a apache
log, it will set it as
web_log (look at the decoders.xml and the type tags).
That makes sense. Thanks for the clarification.
Regarding your log, our decoder is not treating it properly as a
firewall because it has an additional hostname in there.
[trim]
*btw, you can keep the additional timestamp in there, but not the
extra hostname.
Ok, so I examined the decoder.xml file and found the location that
detects PIX/ASA. I then copied the lines and commented out a pair (so
I could undo any damage I might cause.. :-)
I added a \w+ in between the date and the %ASA-... to match the extra
hostname and -- WOW! I'm getting much better alerts now! :-D
Hope it helps.
Tremendously!
Thanks again.
JM