Hi Nerijus (and Carlos), I made some changes to the pre-decoders within ossec to support the syslog format from AIX. If you can try it out from:
http://www.ossec.net/files/snapshots/ossec-hids-071011.tar.gz It should parse properly all these messages. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/11/07, Nerijus Krukauskas <[EMAIL PROTECTED]> wrote: > > Hi, > > On 11/10/2007, Daniel Cid <[EMAIL PROTECTED]> wrote: > > We expect: > > Oct 9 09:50:40 MACHINE sshd[229596]: Accepted password for USER from > > 172.29.14.41 port 55839 ssh2 > > > > While you have: > > Oct 9 09:50:40 MACHINE auth|security:info sshd[229596]: Accepted > > password for USER from 172.29.14.41 port 55839 ssh2 > > > > > > Is this something special to your AIX config? Can you change it to the > > standard format? > > Any other AIX user in here with more information on this? > > Yep. AIX 5.3 that I am testing ossec on generates this: > Oct 11 08:05:46 <machine> auth|security:info sshd[323808]: Accepted > publickey for <user> from <host> port 37909 ssh2 > > -- > http://nk99.org/ >