In this guide, we are going to show you how to fix AlienVault HIDS events displaying 0.0.0.0 as IP address. Are you running AlienVault OSSIM 5.7.1 and you are experiencing an issue where by it is not parsing events correctly and instead of displaying the actual hostnames or IP addresses as it is on the events, it displays 0.0.0.0?
Fixing AlienVault HIDS Events Displaying 0.0.0.0 as IP Address
The issue of AlienVault HIDS Events displaying 0.0.0.0 as IP address for either source or destination has been identified to be related to the ossim ossec plugin, /etc/ossim/agent/plugins/ossec-single-line.cfg which fails to translate hostnames into IPv4 addresses. This is because this plugin do not contain the resolv() function hence a failed resolution results in a value of 0.0.0.0.
Well, there has been a simple fix that has been identified to solve this issue. This involves customizing the ossec-single-line.cfg by adding the resolv() function as shown below.
Customize ossec-single-line.cfg Plugin
Before you can make changes to an existing ossec-single-line.cfg plugin, make a copy of it by appending the .local extension.
cp /etc/ossim/agent/plugins/ossec-single-line.cfg{,.local}Next, open the the backup plugin you created above,the one with the .local extension, for editing and make the following changes.
vim /etc/ossim/agent/plugins/ossec-single-line.cfg.localLocate all the occurrences of src_ip={VARIABLE} and dst_ip={VARIABLE},
...
src_ip={$variable}
dst_ip={$variable}
...For example;
src_ip={$hostname}
dst_ip={$hostname}and replace them with src_ip={resolv(VARIABLE)} and dst_ip={resolv(VARIABLE)} such that they look like;
...
src_ip={resolv($variable)}
dst_ip={resolv($variable)}
...You can simply run the command below to make the changes;
sed -i -e '/src_ip=.*\}/ s/\S\w*/resolv(&)/4' -e '/dst_ip=.*\}/ s/\S\w*/resolv(&)/4' /etc/ossim/agent/plugins/ossec-single-line.cfg.localAfter making the changes, the variable looks like, for example;
src_ip={resolv($hostname)}
dst_ip={resolv($hostname)}Apply the Changes
Once you have made the changes, you need to run the alienvault-reconfig or ossim-reconfig command to apply the changes.
ossim-reconfig && /etc/init.d/ossim-agent restartYour source or destination addresses should now be fine. Navigate to the GUI and confirm the same.
Well, that is all on how to fix IP address showing as 0.0.0.0 on AlienVault HIDS events. We hope this was informative. Feel free to drop any comment.
See other Alienvault ossim tutorials by following the links below;
Nagios SNMP Monitoring of Linux Hosts on AlienVault USM/OSSIM
Configure Nagios Availability Monitoring on AlienVault USM/OSSIM
How to Install and Setup AlienVault HIDS Agent on a Windows Host
How to Install and Configure AlienVault HIDs Agent on a Linux Host
Import Assets to AlienVault USM/OSSIM using a CSV file
How to install and configure AlienVault OSSIM 5.5 on VirtualBox
hi,
please help on the configuring ossec agent on the windows server especially on monitoring windows event logs like Application, system, security, setup
Hi Madan,
When ossec agent is installed on a Windows host, it will automatically read Application/Security/System events.
hi,
please help how to remove a “false alarm” such ‘alienvault hids:windows audit failure event’. Because it’s so difficult to find out on the google as well as on the other web.
I did some changes on ossim-single-line plugins but it still doesn’t work, also i had deleted the table plugin_sid on mysql but it still comes up.
Thank you
Hi Andry,
How about you write a policy to discard such an event.
Hi Mibey,
thank you for the reply,
but how can I make a policy to make such event?
would you like to give me the link/tutorial for me as a reference?
or would you mind creating another tutorial on this web?
surely appreciate if you don’t mind..
Thank you,
Hi andry, you can check here on creating a policy to discard events.
Hi,
I did, but ossim-reconfig && /etc/init.d/ossim-agent restart after this command ossec plugin update does not continue to remain at 12%. What is the solution?
Hi, Thanks for this it helped resolve the problem with HIDS showing 0.0.0.0
I’m facing same problem with some NxLog Events as well, do you have any guidance on that as well?
Regards,
MM
Hi. I did it, but OSSIM (HIDS, router, syslog) show me 0.0.0.0 adrs as before. Version 5.8.5.
THANK YOU FOR THIS ARTICLE!
This is the most helpful information I have seen for OSSIM in forever. I am going to look at other articles you have put out. Maybe there is one about sending the raw log data across in the email instead of just the macros.
thank you thank you thank you!
Thank you Christian! Glad the tutorial was helpful to you.