Fix AlienVault HIDS Events Displaying as IP Address

Last Updated:

In this guide, we are going to show you how to fix AlienVault HIDS events displaying as IP address. Are you running AlienVault OSSIM 5.7.1 and you are experiencing an issue where by it is not parsing events correctly and instead of displaying the actual hostnames or IP addresses as it is on the events, it displays

Fix AlienVault HIDS Events Displaying as IP Address dst src

Fixing AlienVault HIDS Events Displaying as IP Address

The issue of AlienVault HIDS Events displaying as IP address for either source or destination has been identified to be related to the ossim ossec plugin, /etc/ossim/agent/plugins/ossec-single-line.cfg which fails to translate hostnames into IPv4 addresses. This is because this plugin do not contain the resolv() function hence a failed resolution results in a value of

Well, there has been a simple fix that has been identified to solve this issue. This involves customizing the ossec-single-line.cfg by adding the resolv() function as shown below.

Customize ossec-single-line.cfg Plugin

Before you can make changes to an existing ossec-single-line.cfg plugin, make a copy of it by appending the .local extension.

cp /etc/ossim/agent/plugins/ossec-single-line.cfg{,.local}

Next, open the the backup plugin you created above,the one with the .local extension, for editing and make the following changes.

vim /etc/ossim/agent/plugins/ossec-single-line.cfg.local

Locate all the occurrences of src_ip={VARIABLE} and dst_ip={VARIABLE},


For example;


and replace them with src_ip={resolv(VARIABLE)} and dst_ip={resolv(VARIABLE)} such that they look like;


You can simply run the command below to make the changes;

sed -i -e '/src_ip=.*\}/ s/\S\w*/resolv(&)/4' -e '/dst_ip=.*\}/ s/\S\w*/resolv(&)/4' /etc/ossim/agent/plugins/ossec-single-line.cfg.local

After making the changes, the variable looks like, for example;


Apply the Changes

Once you have made the changes, you need to run the alienvault-reconfig or ossim-reconfig command to apply the changes.

ossim-reconfig && /etc/init.d/ossim-agent restart

Your source or destination addresses should now be fine. Navigate to the GUI and confirm the same.


Well, that is all on how to fix IP address showing as on AlienVault HIDS events. We hope this was informative. Feel free to drop any comment.

See other Alienvault ossim tutorials by following the links below;

Nagios SNMP Monitoring of Linux Hosts on AlienVault USM/OSSIM

Configure Nagios Availability Monitoring on AlienVault USM/OSSIM

How to Install and Setup AlienVault HIDS Agent on a Windows Host

How to Install and Configure AlienVault HIDs Agent on a Linux Host

Import Assets to AlienVault USM/OSSIM using a CSV file

How to install and configure AlienVault OSSIM 5.5 on VirtualBox


We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
I am the Co-founder of, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

11 thoughts on “Fix AlienVault HIDS Events Displaying as IP Address”

  1. hi,
    please help on the configuring ossec agent on the windows server especially on monitoring windows event logs like Application, system, security, setup

  2. hi,
    please help how to remove a “false alarm” such ‘alienvault hids:windows audit failure event’. Because it’s so difficult to find out on the google as well as on the other web.
    I did some changes on ossim-single-line plugins but it still doesn’t work, also i had deleted the table plugin_sid on mysql but it still comes up.
    Thank you

      • Hi Mibey,
        thank you for the reply,
        but how can I make a policy to make such event?
        would you like to give me the link/tutorial for me as a reference?
        or would you mind creating another tutorial on this web?
        surely appreciate if you don’t mind..

        Thank you,

  3. Hi,
    I did, but ossim-reconfig && /etc/init.d/ossim-agent restart after this command ossec plugin update does not continue to remain at 12%. What is the solution?

  4. Hi, Thanks for this it helped resolve the problem with HIDS showing
    I’m facing same problem with some NxLog Events as well, do you have any guidance on that as well?


    This is the most helpful information I have seen for OSSIM in forever. I am going to look at other articles you have put out. Maybe there is one about sending the raw log data across in the email instead of just the macros.

    thank you thank you thank you!


Leave a Comment