Hi George,
If you are using ossec v1.0 or greater, it will by default log the event id
and rule id (in addition to the action and ip address).
Example:
Sat Apr 7 21:59:46 ADT 2007
/var/ossec/active-response/bin/firewall-drop.sh delete - 1.1.1.1
1175993269.67597 100361
If you also go to the active response script and add values "$6, $7" it will
log the agent that generated it...
echo "`date` $0 $1 $2 $3 $4 $5 $6 $7" >> ${PWD}/../logs/active-responses.log
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 4/24/07, George Vieira <george@xxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi all, Sorry if this is mentioned before but I had no way of searching the mailling list. The firewall.sh script only passes the IP and the action but I'd also like to also pass the rule which triggered it purely so when the script writes it's log file it also appends the rule which is easier then going between 2 log files trying to established why an IP appeared in the iptables -L list.. Is this easy to get put in? Sorry, I'm not on the list. Thanks, ____________________________________________ George Vieira Citadel Computer Systems Pty Ltd