• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

Known Issue: AlienVault HIDS Events Displaying as IP Addresses


New Life Form

I have update remote sensor to 5.4.1 but I have again this issue only on dst_ip with
Ask a workaround exist for this issue ?

Best regards,

Share post:


  • Hi,

    I have the same issue. Not sure why, patch does not seems to work?

  • Hi,

    The issue seem to be only on plugin id 4003 other log have src and dst ip

    2017-08-23 09:31:10,533 Detector [WARNING]: ssh[4003] Event's field src_ip sensorname is not a valid IP.v4/IP.v6 address, falling back to default:
    2017-08-23 09:31:10,533 Detector [WARNING]: ssh[4003] Event's field dst_ip sensorname is not a valid IP.v4/IP.v6 address, falling back to default:
    2017-08-23 09:31:10,533 Detector [WARNING]: ssh[4003] Event's device field sensorname is not a valid IP.v4/IP.v6 address, falling back to default local.
    2017-08-23 09:31:10,534 Output [INFO]: event type="detector" date="1503473470" device="" interface="eth0" plugin_id="4003" plugin_sid="27" src_ip="" dst_ip="" dst_port="22"
  • edited August 2017
    I have ran into this issue whenever innitially starting hids up since the release of 5.4. I ended up running the following cli jailbreak command to get that service started correctly. I've experienced a few things not starting properly with the latest patch release. 


    Hopefully this helps. 
  • Did anyone come up with any resolutions to this.  I am having the same problem and receiving numerous warning messages indicating that the system had to fallback to  It appears that the parser is using the hostname in the src_ip and dst_ip fields and not resolving it to the IP address.  I had looked at some older version of the ossec-single-line.cfg file and found that often the src_ip/dst_ip was using resolv($hostname) but in my current version it is just doing a a direct assignment of $hostname.
  • edited September 2017
    I have the same problem, I tried to update to the latest version but it didn't work.  I restarted, updated and reconfigured ossim but it didn't work neither.

    I tried to replace the syslog template to register the ip but i broke something more, and syslog messages stopeped to appear in the events dashboard.
    If anyone has a suggestion it will be welcome


  • edited October 2017
    hi folks,
    i have had the misfortune of having to resolve this issue on one of my own ossim installations. Total PITA!
    Someone above has correctly observed that this behaviour is related to the ossim ossec plugin.

    ossim shows as the source / destination in the SIEM events view dispite the correct hostname or ip appearing in the event details.

    - copy the entire contents of the ossec-single-line.cfg file into a file called ossec-single-line.cfg.local. the file lives in the /etc/ossim/agent/plugins/ directory. put the new file in the same directory.
    - in the new ossec-single-line.cfg.local file replace all occurances of
    src_ip={<whatever>} or
    src_ip={resolv(<whatever>)} or

    once you have made the changes save the file and run the command:
    ossim-reconfig && service ossim-agent restart

    new events should now have the correct ip's in the SIEM views.

  • Hi
    I refer you all comments but i cant find out ossec-single-line.cfg in side the /etc/ossim/agent/plugins, did you know the way to enable this plugin.
Sign In or Register to comment.