Add source of syslog as destination IP for Sguil alert

[theflakes]

Some syslogs do not contain the IP of the device sending the syslog in the body of the syslog. Cisco ASAs do this with some syslog messages. Therefore I added to the regex to pull this information out if it exists in the second line of the OSSEC alert.

[dougburks]

Thanks, Brian! I'll take a look at this as time allows.

[theflakes]

Thanks, it still needs some work and I haven’t had time to get back to testing it more yet. I’m not that familiar with the Sguil DB yet so not sure if the set event is set up correctly or not.

On a side note going to start looking at some point into adding a username column to Sguil. That would be very useful for OSSEC alerts and finding/correlating credential misuse. Probably a ways away from doing anything with this but the more I work with Sguil and OSSEC the more I see the need for this. ELSA parsers for pulling usernames out is another thing on my list as well.

On Jun 6, 2015, at 10:06 AM, Doug Burks [email protected] wrote:

Thanks, Brian! I'll take a look at this as time allows.

—
Reply to this email directly or view it on GitHub #5 (comment).

[theflakes]

Sorry Doug, thought this email was on the Squil Bro-agent.

The Github pull request for the ossec-agent update should be good to go for testing whenever you are ready.

On Jun 6, 2015, at 10:06 AM, Doug Burks [email protected] wrote:

Thanks, Brian! I'll take a look at this as time allows.

—
Reply to this email directly or view it on GitHub #5 (comment).