|
hello Meir and everyone, as promised i've setup a new testbed where i have a central logging server via syslogd (-r) and a bunch of other workstations reporting their syslogs to that server. all is well and i've even managed to start writing down installation instructions :) now, there are two things that don't work properly: timestamp is reported as " 0000-00-00 00:00:00 " and ossec2base can't parse the correct "agent" ip when reporting from /var/log/* e.g. : ** Alert 1157715877.7436: nomail 2006 Sep 08 12:44:37 testbed2 -> /var/log/secure Rule: 5716 (level 5) -> 'SSHD authentication failed.' Src IP: (10.0.3.1) User: root sshd[15796]: Failed password for root from ::ffff:10.0.3.1 port 57468 ssh2 ** Alert 1157715877.7133: mail 2006 Sep 08 12:44:37 testbed2 -> /var/log/messages Rule: 2502 (level 10) -> 'User missed the password more than one time' Src IP: (0.0.0.0) User: (none) sshd(pam_unix)[15794]: 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.0.3.1 user=root im running the latest ossec-hids version (server installation) with email notification (so that i can compare results), along with ossec-ui latest version dating 08-Sep-2006 01:10. syslog: syslogd -m 0 -r realtime feed: /usr/bin/perl -w /usr/local/bin/ossec2based.pl --conf /etc/ossec2base.conf -d --sensor ossecbase i don't think i'm missing any important info. what do you think might be the problem? ./vcorreia Vitor Correia Systems Administrator -- Mobbit Systems [EMAIL PROTECTED] | Telemóvel: + 351 916 448 025 Avenida do Forte, 8 - 1º Andar - Frente 01 - 2795-503 Carnaxide Telefone: + 351 21 418 01 40 | Fax: + 351 21 418 01 41 [EMAIL PROTECTED] | www.mobbit.net ,-O O(_)) for a better world `-O |
begin:vcard fn:Vitor Correia n:Correia;Vitor org:Mobbit Systems adr;quoted-printable:;;Av. do Forte, N=C2=BA 8 - Andar O1;;Linda-a-Velha;2795-503;Portugal email;internet:[EMAIL PROTECTED] title:Sysadmin tel;work:+351 21 418 01 40 tel;fax:+351 21 418 01 41 tel;cell:+351 91 644 80 25 x-mozilla-html:TRUE url:http://www.mobbit.net version:2.1 end:vcard
