[ossec-list] About the user login/login failed alert

hello, I've setup the ossec server and agent in my serverS(server) and serverA(agent), but when I login into serverA, I have not receive the email alert, but if I change something in serverA, I can receive the email alert. So, my question is: how to make a email alert when some one login into

[ossec-list] Integration with MS SCCM

Dear Team, I would like to integrate Microsoft SCCM with OSSIM. All configuration has been done in ms-sccm.cfg [which was already available]. Logs are coming to /var/log/alienvault/agent.log but not to /var/ossec/logs/alerts/alerts.log Any idea why and what I am doing wrong? kindly advise.

[ossec-list] Re: About the user login/login failed alert

HI, I set the email notify level to 3, and try to login into serverA through ssh, It's work, I receive the email alert. Thank you! And I've other question, I want block the user ip when the user login failed more then 3 times with ssh, then block the ip of user, I use 5712, but it did not

Re: [ossec-list] Re: Passing entire log line to Active Response script - how?

On Wed, Jun 28, 2017 at 12:21 PM, Guy Or wrote: >> It doesnt work, a real shame... It will only work if you dont have spaces >> in your log line. > > This is really really really annoying lol... all that is needed is to wrap > with ' ' the argument (log line with spaces and

[ossec-list] Re: About the user login/login failed alert

Hi, The email notification is triggered when an alert reach or overpass the level defined in (by default is set to level 7), setting this option to level 3 will send you email notifications for successful logins attempts. * option reference:*

[ossec-list] Re: Treat Multiple Files as One

Hi Eric, Right now, I believe OSSEC is only able to correlate multiple failed logins > if they all happen to show up on only 1 of the log files That is not correct. The rules are based on the content of a log, not in the source. Pay attention to the following rules: sshd SSHD

[ossec-list] Re: Block ssh user ip after failed login attempt in OSSEC

Hi, the *frequency *attribute specifies the number of times (+2) the rule must have matched before firing. In this case, the rule 5720 will be fired if the rule 5716 is fired 8 times (6+2). You must use *frequency="1"* to fire the rule after 3 attempts. Also, it is a good idea to add the

[ossec-list] Re: Passing entire log line to Active Response script - how?

Hi, you are totally right. Active response configuration should allow any field: srcip, user, port, dynamic fields , etc. It is in Wazuh roadmap. It doesnt work, a real shame... It will only work if you dont

[ossec-list] Re: Passing entire log line to Active Response script - how?

> > It doesnt work, a real shame... It will only work if you dont have spaces > in your log line. > This is really really really annoying lol... all that is needed is to wrap with ' ' the argument (log line with spaces and all sort of characters) when you pass it to the active response

[ossec-list] Block ssh user ip after failed login attempt in OSSEC

I need to block the user ip after 3 times login failed attempt in ossec I tried below in sshd_rules file 5716 Multiple SSHD authentication failures. authentication_failures, But its blocking the user ip after 10 attempt please help me out -- --- You received this