Re: [ossec-list] Problem with snort
Hi, I hope you reached a solution for your problem and if you did, can u share the solution with me because i am struggling with the same problem for a few days... On Sunday, May 3, 2015 at 2:43:06 PM UTC+3, AMINE.E wrote: > > i know that snort full logs are multiple lines. And i didn't use > ossec-logtest for testing. > what i got each time, is the first line of my snort full log. I want the > others because they contain usefull data like source_ip/source_port > > On Sunday, May 3, 2015 at 12:56:00 AM UTC+1, dan (ddpbsd) wrote: >> >> >> On May 2, 2015 7:51 PM, "AMINE.E"wrote: >> > >> > Hi >> > >> > I have noticed something with snort-full log format, that it is not >> logging the full_log into "/var/ossec/logs/alerts/alert.log". >> > it just takes the first line and logs it. And when i ran >> ossec-logcollector with debug mode i can see this : >> >> It's been a while, but aren't snort full logs multiple lines? Includijg a >> multi-line log inside a multi-line log might be a bit cumbersome. >> >> > 2015/05/03 00:22:13 ossec-logcollector: DEBUG: Reading syslog message: >> >> > >> > syslog ? it is not what i have configured ossec to. Because : >> > >> > snort-full >> > /var/log/snort/alert >> > > > >> >> I don't think ossec-logtest pays attention to that configuration. >> >> > where might be the problem ? >> > >> >> I don't think there is one. >> >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to ossec-list+...@googlegroups.com. >> > For more options, visit https://groups.google.com/d/optout. >> > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Problem with snort
i know that snort full logs are multiple lines. And i didn't use ossec-logtest for testing. what i got each time, is the first line of my snort full log. I want the others because they contain usefull data like source_ip/source_port On Sunday, May 3, 2015 at 12:56:00 AM UTC+1, dan (ddpbsd) wrote: On May 2, 2015 7:51 PM, AMINE.E amine.e...@um5s.net.ma javascript: wrote: Hi I have noticed something with snort-full log format, that it is not logging the full_log into /var/ossec/logs/alerts/alert.log. it just takes the first line and logs it. And when i ran ossec-logcollector with debug mode i can see this : It's been a while, but aren't snort full logs multiple lines? Includijg a multi-line log inside a multi-line log might be a bit cumbersome. 2015/05/03 00:22:13 ossec-logcollector: DEBUG: Reading syslog message: syslog ? it is not what i have configured ossec to. Because : localfile log_formatsnort-full/log_format location/var/log/snort/alert/location /localfile I don't think ossec-logtest pays attention to that configuration. where might be the problem ? I don't think there is one. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Problem with snort
full On Sunday, May 3, 2015 at 12:55:59 AM UTC+1, Eero Volotinen wrote: How snort logging is configured? Full or fast mode? 3.5.2015 2.51 ap. AMINE.E amine.e...@um5s.net.ma javascript: kirjoitti: Hi I have noticed something with snort-full log format, that it is not logging the *full_log* into /var/ossec/logs/alerts/alert.log. it just takes the *first* line and logs it. And when i ran ossec-logcollector with debug mode i can see this : 2015/05/03 00:22:13 ossec-logcollector: DEBUG: Reading *syslog* message: syslog ? it is not what i have configured ossec to. Because : localfile log_formatsnort-full/log_format location/var/log/snort/alert/location /localfile where might be the problem ? -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com javascript:. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Problem with snort
How snort logging is configured? Full or fast mode? 3.5.2015 2.51 ap. AMINE.E amine.eloui...@um5s.net.ma kirjoitti: Hi I have noticed something with snort-full log format, that it is not logging the *full_log* into /var/ossec/logs/alerts/alert.log. it just takes the *first* line and logs it. And when i ran ossec-logcollector with debug mode i can see this : 2015/05/03 00:22:13 ossec-logcollector: DEBUG: Reading *syslog* message: syslog ? it is not what i have configured ossec to. Because : localfile log_formatsnort-full/log_format location/var/log/snort/alert/location /localfile where might be the problem ? -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [ossec-list] Problem with snort
On May 2, 2015 7:51 PM, AMINE.E amine.eloui...@um5s.net.ma wrote: Hi I have noticed something with snort-full log format, that it is not logging the full_log into /var/ossec/logs/alerts/alert.log. it just takes the first line and logs it. And when i ran ossec-logcollector with debug mode i can see this : It's been a while, but aren't snort full logs multiple lines? Includijg a multi-line log inside a multi-line log might be a bit cumbersome. 2015/05/03 00:22:13 ossec-logcollector: DEBUG: Reading syslog message: syslog ? it is not what i have configured ossec to. Because : localfile log_formatsnort-full/log_format location/var/log/snort/alert/location /localfile I don't think ossec-logtest pays attention to that configuration. where might be the problem ? I don't think there is one. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[ossec-list] Problem with snort
Hi I have noticed something with snort-full log format, that it is not logging the *full_log* into /var/ossec/logs/alerts/alert.log. it just takes the *first* line and logs it. And when i ran ossec-logcollector with debug mode i can see this : 2015/05/03 00:22:13 ossec-logcollector: DEBUG: Reading *syslog* message: syslog ? it is not what i have configured ossec to. Because : localfile log_formatsnort-full/log_format location/var/log/snort/alert/location /localfile where might be the problem ? -- --- You received this message because you are subscribed to the Google Groups ossec-list group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.