Home

Syslog host IP issues

%3CLINGO-SUB%20id%3D%22lingo-sub-777609%22%20slang%3D%22en-US%22%3ESyslog%20host%20IP%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-777609%22%20slang%3D%22en-US%22%3E%3CP%3EHas%20anybody%20run%20into%20an%20issue%20within%20syslogs%20where%20IP%20addresses%20are%20showing%20up%20in%20the%20SyslogMessage%20column%2C%20but%20not%20in%20the%20the%20HostIP%20column%3F%20I%20am%20seeing%20ssh%20attempts%20from%20IP's%20but%20the%20originating%20IP%20is%20in%20the%20SysLogMessage%20description%20while%20HostIP%20shows%20unknown%20or%20127.0.0.1.%20I%20believe%20this%20could%20also%20be%20what%20is%20causing%20my%20potentially%20malicious%20event%20map%20to%20show%20%22No%20Data%20Was%20Found%22.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20help%20would%20be%20greatly%20appreciated!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-784922%22%20slang%3D%22en-US%22%3ERe%3A%20Syslog%20host%20IP%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-784922%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIs%20this%20syslog%20from%20a%20local%20machine%20with%20the%20agent%3F%26nbsp%3B%20Or%20syslog%20CEF%20where%20a%20message%20is%20being%20sent%20via%20CEF%20to%20a%20machine%20with%20the%20agent%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEither%20way%2C%20could%20you%20share%20the%20source%20message%20format%3F%26nbsp%3B%20and%20a%20screen%20capture%20of%20the%20data%20in%20the%20Azure%20Sentinel%20workspace%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
davidbrilliant
New Contributor

Has anybody run into an issue within syslogs where IP addresses are showing up in the SyslogMessage column, but not in the the HostIP column? I am seeing ssh attempts from IP's but the originating IP is in the SysLogMessage description while HostIP shows unknown or 127.0.0.1. I believe this could also be what is causing my potentially malicious event map to show "No Data Was Found". 

 

Any help would be greatly appreciated!

1 Reply

Hi 

Is this syslog from a local machine with the agent?  Or syslog CEF where a message is being sent via CEF to a machine with the agent?

 

Either way, could you share the source message format?  and a screen capture of the data in the Azure Sentinel workspace?

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies