I've many sensors and one server. Everything seems to work pretty well but arpwatch. I used ossim-setup to activate the plugin, and I'm using the latest release.
When starting it manually, I can see events (most of them are flip flop). Sensor-Clients:/var/log/ossim# /usr/sbin/arpwatch_eth0 -d -d -i eth0 -f /var/lib/arpwatch/arp-eth0.dat arpwatch_eth0: flip flop 10.0.2.1 07:00:27:30:31:86 (00:0c:21:83:b2:d5) eth0 arpwatch_eth0: flip flop 10.0.2.1 00:0c:21:83:b2:d5 (07:00:27:30:31:86) eth0 these events are written in the file /var/log/ossim/arpwatch-eth0.log
the regex in /etc/ossim/agent/plugins/arpwatch_eth0.cfg seems to be good : regexp="arpwatch.*?: flip flop (\IPV4) (\MAC) \((\MAC)\) (\S+)"
In the agent.log file, only : 2012-11-12 17:13:51,390 Output [INFO]: idm-event ip="10.0.3.1" mac="07:00:27:30:31:86" inventory_source="13" 2012-11-12 17:13:57,258 Output [INFO]: idm-event ip="10.0.3.1" mac="00:0c:21:83:b2:d5" inventory_source="13"
Nothing seems to happen on the server.
What can I check next ? ossec rules ? I can't see the link between the plugin file regex and the ossec rules... I don't know if the plugin works or not at all. Any help woud be appreciated !