[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: problem log iptables

try without the word TRACEROUTE, or change the iptables decoder to support two words before IN

On 2/1/07, xtz.info@xxxxxxxxx <dead.but.dreamer@xxxxxxxxx> wrote:
i want log in OSSEC (in alert.log)

/var/log/kern.log

Jan 31 21:52:55 gatlan kernel: DROP TRACEROUTE IN=ppp0 OUT= MAC= SRC="" href="http://81.251.160.88" target="_blank" >81.251.160.88 DST= 90.20.131.158 LEN=80 TOS=0x00 PREC=0xC0 TTL=248 ID=3575 PROTO=ICMP TYPE=3 CODE=1 [SRC="" href="http://90.20.131.158" target="_blank" >90.20.131.158 DST= 192.168.1.64 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=8857 DF PROTO=TCP SPT=2267 DPT=4662 WINDOW=65535 RES=0x00 SYN URGP=0 ]

/var/ossec/rules/firewall_rules.xml

  <rule id="4101" level="6">
    <if_sid>4100</if_sid>
    <action>DROP</action>
    <!-- <options>no_log</options> -->
    <description>Firewall drop event.</description>
    <group>firewall_drop,</group>
  </rule>

/var/ossec/etc/ossec.conf

  <localfile>
    <log_format>syslog</log_format>
    <location>/var/log/kern.log</location>
  </localfile>


but nothing are loggued by OSSEC...

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.