[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-list] Re: localfile problem

To: ossec-list@xxxxxxxxxxxxxxxx
Subject: [ossec-list] Re: localfile problem
From: James Ervin <jervin@xxxxxxxxxxxxx>
Date: Sat, 16 Jun 2007 19:27:34 -0400 (EDT)

Daniel-

Thanks for the information!

You are right about the date format in our logs. One of the big problem in 
our environment is log normalization. We receive logs from many embedded 
devices which have extremely inaccurate clocks, so we are using the 
"ISODATE" option of syslog-ng which (so far as I know) conforms to the 
ISO-8601 specification for dates; this is actually a recommendation in the 
syslog-ng manual.

However, now that I know what the problem is (thanks again; that hadn't 
even occurred to me!), it will be simple to set up another output stream 
within syslog-ng using the "normal" syslog format.

James Ervin
ITS Control Center
UNC-Chapel Hill

work:  (919) 843-8311
cell:  (919) 360-3001
email: jervin@xxxxxxxxxxxxx

On Sat, 16 Jun 2007, Daniel Cid wrote:

>
> Hi James,
>
> Reply inline...
>
> On 6/15/07, James Ervin <jervin@xxxxxxxxxxxxx> wrote:
>>
>> For administrative reasons, we have to keep the OSSEC server separate from
>> the central syslog server, so we opted not to install OSSEC on the syslog
>> server in "server" mode (i.e., we can't have OSSEC listening on port 514
>> on the syslog server).
>
> You could have installed ossec in the syslog server (even in server mode) and
> disabled the remote syslog option. You would only need to configure it to
> read the local log files (containing the logs from all your systems).
>
>
>> However, my OSSEC installation doesn't seem to be differentiating between
>> the hosts properly ni this configuration. Maybe someone on the list has
>> some suggestions? Caveat: I have not upgraded to OSSEC 1.2 yet.
>
>
> The issue is that your logs are not well formated (according to the syslog RFC)
> and ossec doesn't know how to extract the hostnames.
>
> Your logs are:
>
> 2007-06-14T15:48:55-04:00 internalhost1
>
> While on syslog, it would be:
>
> Jun 14 15:48:55 internalhost1
>
> That's why ossec is not using the hostnames. Is it something you did specially
> for your environment or is syslog-ng setting the time/date like that?
>
> *Not only the hostnames are not being parsed, but also the program
> name (e.g sshd),
> which are causing your ossec install to miss a lot of stuff (some of
> are rules/decoders
> are based on the program name)...
>
>
> Hope it helps..
>
> --
> Daniel B. Cid
> dcid ( at ) ossec.net
>

Follow-Ups:
- [ossec-list] Re: localfile problem
  - From: Zach Patrick

References:
- [ossec-list] localfile problem
  - From: Zach Patrick
- [ossec-list] Re: localfile problem
  - From: Daniel Cid
- [ossec-list] Re: localfile problem
  - From: G E Scott Knauss
- [ossec-list] Re: localfile problem
  - From: James Ervin
- [ossec-list] Re: localfile problem
  - From: Daniel Cid

Prev by Date: [ossec-list] Re: Is ossec reading my IIS logs?
Next by Date: [ossec-list] Re: ossec 1.2 failing to compile on Solaris 8
Previous by thread: [ossec-list] Re: localfile problem
Next by thread: [ossec-list] Re: localfile problem
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.