** Alert 1157127980.998365:
2006 Sep 01 19:26:20 topgun->/var/log/auth.log
Rule: 5704 (level 4) -> 'Timeout while logging in (sshd).'
Src IP: (none)
User: (none)
sshd[18431]: fatal: Timeout before authentication for 61.142.66.58
** Alert 1157128230.998595:
2006 Sep 01 19:30:30 topgun->/var/log/auth.log
Rule: 2501 (level 5) -> 'User authentication failure.'
Src IP: (none)
User: (none)
sudo: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=pts/4 ruser= rhost= user=meirm
** Alert 1157128236.998853:
2006 Sep 01 19:30:36 topgun->/var/log/auth.log
Rule: 5303 (level 3) -> 'User sucessfully changed UID to root'
Src IP: (none)
User: (none)
su[19033]: (pam_unix) session opened for user root by (uid=0)
** Alert 1157128238.999082:
2006 Sep 01 19:30:38 topgun->/var/log/auth.log
Rule: 5303 (level 3) -> 'User sucessfully changed UID to root'
Src IP: (none)
User: (none)
su[19058]: (pam_unix) session opened for user root by (uid=0)
** Alert 1157128238.999311:
2006 Sep 01 19:30:38 topgun->/var/log/secure
Rule: 5303 (level 3) -> 'User sucessfully changed UID to root'
Src IP: (none)
User: (none)
su[19058]: (pam_unix) session opened for user root by (uid=0)
** Alert 1157128268.999538:
2006 Sep 01 19:31:08 topgun->/var/log/auth.log
Rule: 5303 (level 3) -> 'User sucessfully changed UID to root'
Src IP: (none)
User: (none)
su[19145]: (pam_unix) session opened for user root by (uid=0)
I am using the server without agents and other servers sending their logs through syslog to the central syslog where ossec is running.
I have similar logs from other two servers in remote locations.
I am using regex to extract the alert host by parsing the line that starts with the date. In your sample they all seems to proceed from localhost
2006 Sep 01 16:05:46 localhost -> (webappserver)
2006 Sep 01 16:08:34 localhost -> (vitorcorreia)
In my case after the arrow I have the logfile where the event was learned from. In your case is ??? . I guess that the equivalent to mine is the line that you have starting with ip pointing to the logfile.
for what I see you are running a cvs version of ossec that is not stable yet.
you shouyld be using instead ossec latest snapshot from www.ossec.net
I think it is 20060820
or 9.1
You still should use my latest cvs snapshot for the ui.
There are a lot of changes since the last release and stable snapshot. As we work in different parts of the project, The latest cvs status may be broken like this case between ossec-hids and ossec-ui. Daniel Cid is doing the major changes in ossec-hids. We discussed them and we are suppose to merge and fix our interfaces.
I will try to schedule with Daniel to work on the integration of our latest changes during the following week. If you are interested in development of ossec continue from where you are and help us coding. If you meant to use ossec at a production server you should stick to the stables versions of ossec-hids and ossec-ui.
On 9/1/06, Vitor Correia <[EMAIL PROTECTED]> wrote:
here you go, hope it helps.
if you need anything else just ask.
./vcorreia
Meir Michanie wrote:send as attachment a new alert log so I can parse it and see what's wrong.
On 9/1/06, Vitor Correia <[EMAIL PROTECTED] > wrote:did what you asked but to no avail :(
Dennis Borkhus-Veto wrote:Could you change
dbhost=localhost
To the actual IP address to atleast see if that is where its coming from.
Dennis
-----Original Message-----
From:[email protected] <[email protected]> To: [email protected] <[email protected]> Sent: Fri Sep 01 04:23:25 2006 Subject: [ossec-list] OSSEC2MYSQL - Agents being reported as 127.0.0.1 Hello Meir & everyone, In the past few days i managed to get a working installation of ossec2mysql in a server-client environment and i'm very happy with the outcome of all the testing and debugging done with the precious help of Meir. Still, one questions remains: my agents all show up in the alerts as 127.0.0.1. For debugging purposes i have the email notification on and all shows up well,
i.e. the ips are being resolved or correctly sent. Meir, i've installed the lastest version of ossec-ui dating from 1-Sep-2006 01h10.
I don't know if this helps, but here it goes:
cat /etc/ossec2base.conf
# PARAMS USED BY OSSEC2BASED
dbhost=localhost
database=ossecbase
debug=5
dbport=3306
dbpasswd=<pwd>
dbuser=<user>
fieldseparator=;
daemonize=0
sensor=ossec
interface=daemon
resolve=1
cat /etc/ossec-init.conf
DIRECTORY="/var/ossec"
VERSION="v0.9-1"
DATE="Wed Aug 30 15:16:17 WEST 2006"
TYPE="server"
Thanks,
./vcorreia
Vitor Correia
Systems Administrator
Vitor Correia
Systems Administrator
--
Mobbit Systems
[EMAIL PROTECTED]
| Telemóvel: + 351 916 448 025
Avenida do Forte, 8 - 1º Andar - Frente 01 - 2795-503 Carnaxide
Telefone: + 351 21 418 01 40 | Fax: + 351 21 418 01 41
[EMAIL PROTECTED] | www.mobbit.net ,-O O(_)) for a better world `-O
Vitor Correia
Systems Administrator
--
Mobbit Systems
[EMAIL PROTECTED] | Telemóvel: + 351 916 448 025
Avenida do Forte, 8 - 1º Andar - Frente 01 - 2795-503 Carnaxide
Telefone: + 351 21 418 01 40 | Fax: + 351 21 418 01 41
[EMAIL PROTECTED] | www.mobbit.net ,-O O(_)) for a better world `-O
Generated by BASE v1.2.6 (christine) on Fri, 1 Sep 2006 16:09:42 +0100
------------------------------------------------------------------------------
#(8 - 1) [0000-00-00 00:00:00] [local/2501] [snort/:2501] 'User authentication failure.'
Payload: ** Alert 1157123080.1737037: nomail
2006 Sep 01 16:04:40 localhost -> (jeremias)
10.0.3.210->/var/log/messages
Rule: 2501 (level 5) -> 'User authentication failure.'
Src IP: ( 0.0.0.0)
User: (none)
sshd(pam_unix)[22065]: authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost= 10.0.2.201 user=root
------------------------------------------------------------------------------
#(8 - 2) [0000-00-00 00:00:00] [local/5716] [snort/:5716] 'SSHD authentication failed.'
Payload: ** Alert 1157123082.1737324: nomail
2006 Sep 01 16:04:42 localhost -> (jeremias)
10.0.3.210->/var/log/secure
Rule: 5716 (level 5) -> 'SSHD authentication failed.'
Src IP: ( 10.0.2.201)
User: root
sshd[22065]: Failed password for root from ::ffff:10.0.2.201 port
32924 ssh2
------------------------------------------------------------------------------
#(8 - 3) [0000-00-00 00:00:00] [local/2501] [snort/:2501] 'User authentication failure.'
Payload: ** Alert 1157123146.1737582: nomail
2006 Sep 01 16:05:46 localhost -> (webappserver)
10.0.3.220->/var/log/messages
Rule: 2501 (level 5) -> 'User authentication failure.'
Src IP: (0.0.0.0)
User: (none)
sshd(pam_unix)[22065]: authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=10.0.2.201 user=root
------------------------------------------------------------------------------
#(8 - 4) [0000-00-00 00:00:00] [local/5716] [snort/:5716] 'SSHD authentication failed.'
Payload: ** Alert 1157123146.1737874: nomail
2006 Sep 01 16:05:46 localhost -> (webappserver)
10.0.3.220->/var/log/secure
Rule: 5716 (level 5) -> 'SSHD authentication failed.'
Src IP: (10.0.2.201)
User: root
sshd[22065]: Failed password for root from ::ffff: 10.0.2.201 port
32924 ssh2
------------------------------------------------------------------------------
#(8 - 5) [0000-00-00 00:00:00] [local/5715] [snort/:5715] 'SSHD authentication success.'
Payload: ** Alert 1157123314.1738137: nomail
2006 Sep 01 16:08:34 localhost -> (vitorcorreia)
10.0.3.43->/var/log/auth.log
Rule: 5715 (level 3) -> 'SSHD authentication success.'
Src IP: ( 10.0.3.210)
User: root
sshd[20938]: Accepted password for root from 10.0.3.210 port 33214
ssh2
-----------------------------
this has croped up alot in /var/log/ossec2based.err
sh: -c: line 0: syntax error near unexpected token `agent1'
sh: -c: line 0: `host (agent1) 10.0.3.152 2>/dev/null | grep 'has address' '
sh: -c: line 0: syntax error near unexpected token `agent2'
sh: -c: line 0: `host (agent2) 10.0.3.46 2>/dev/null | grep 'has address' '
