[prelude-user] prelude-lml and syslog message over the network
x25 at pobox.com
x25 at pobox.com
Mon Mar 16 16:44:08 CET 2009
I am setting up PreludeIDS, and I am having a bit of a trouble with prelude-lml, on CentOS.
Basically, I have initially set syslog to accept messages over the network and log them into files. However, because
there is quite a lot of syslog traffic, I wanted to setup prelude-lml as a listener, so that I can only accept+log
(into prelude db) events that I need.
Problem that I have is:
16 Mar 11:04:20 (process:8776) WARNING: no appropriate format defined for log entry: 'sshd[24034]:
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.18.100.1 user=root
Trouble is that this message doesn't have timestamp and hostname, which are fields defined in syslog format. I have
tried defining 'custom' format, without timestamp/hostname, but then entries show up (in prewikka) with
'destination' of 127.0.0.1.
What is the proper way to handle a case like this?
Thanks :)
More information about the Prelude-user
mailing list