Fix AlienVault HIDS Events Displaying 0.0.0.0 as IP Address

2
187

In this guide, we are going to show you how to fix AlienVault HIDS events displaying 0.0.0.0 as IP address. Are you running AlienVault OSSIM 5.7.1 and you are experiencing an issue where by it is not parsing events correctly and instead of displaying the actual hostnames or IP addresses as it is on the events, it displays 0.0.0.0?

Fix AlienVault HIDS Events Displaying 0.0.0.0 as IP Address
AlienVault HIDS Events Displaying 0.0.0.0 as IP Address

Fix AlienVault HIDS Events Displaying 0.0.0.0 as IP Address

The issue of AlienVault HIDS Events displaying 0.0.0.0 as IP address for either source or destination has been identified to be related to the ossim ossec plugin, /etc/ossim/agent/plugins/ossec-single-line.cfg which fails to translate hostnames into IPv4 addresses. This is because this plugin do not contain the resolv() function hence a failed resolution results in a value of 0.0.0.0.

Well, there has been a simple fix that has been identified to solve this issue. This involves customizing the ossec-single-line.cfg by adding the resolv() function as shown below.

Customize ossec-single-line.cfg Plugin

Before you can make changes to an existing ossec-single-line.cfg plugin, make a copy of it by appending the .local extension.

cp /etc/ossim/agent/plugins/ossec-single-line.cfg /etc/ossim/agent/plugins/ossec-single-line.cfg.local

Next, open the the backup plugin you created above,the one with the .local extension, for editing and make the following changes.

vim /etc/ossim/agent/plugins/ossec-single-line.cfg,local

Locate all the occurrences of src_ip={VARIABLE} and dst_ip={VARIABLE},

...
src_ip={$variable}
dst_ip={$variable}
...

and replace them with src_ip={resolv(VARIABLE)} and dst_ip={resolv(VARIABLE)} such that they look like;

...
src_ip={resolv($variable)}
dst_ip={resolv($variable)}
...

You can simply run the command below to make the changes;

sed -i -e '/src_ip=.*\}/ s/\S\w*/resolv(&)/4' -e '/dst_ip=.*\}/ s/\S\w*/resolv(&)/4' /etc/ossim/agent/plugins/ossec-single-line.cfg.local

Apply the Changes

Once you have made the changes, you need to run the alienvault-reconfig or ossim-reconfig command to apply the changes.

ossim-reconfig && /etc/init.d/ossim-agent restart

Your source or destination addresses should now be fine. Navigate to the GUI and confirm the same.

Fixed AlienVault HIDS Events Displaying 0.0.0.0  address

Well, that is all on how to fix AlienVault HIDS events displaying 0.0.0.0 as IP Address. We hope this was informative. Feel free to drop any comment.

See other Alienvault ossim tutorials by following the links below;

Nagios SNMP Monitoring of Linux Hosts on AlienVault USM/OSSIM

Configure Nagios Availability Monitoring on AlienVault USM/OSSIM

How to Install and Setup AlienVault HIDS Agent on a Windows Host

How to Install and Configure AlienVault HIDs Agent on a Linux Host

Import Assets to AlienVault USM/OSSIM using a CSV file

How to install and configure AlienVault OSSIM 5.5 on VirtualBox

2 COMMENTS

  1. hi,
    please help on the configuring ossec agent on the windows server especially on monitoring windows event logs like Application, system, security, setup

LEAVE A REPLY

Please enter your comment!
Please enter your name here