On 9/8/06, Vitor Correia <
[EMAIL PROTECTED]> wrote:
hello Meir and everyone,
as promised i've setup a new testbed where i have a central logging server via syslogd (-r) and a bunch of other workstations reporting their syslogs to that server. all is well and i've even managed to start writing down installation instructions :)
now, there are two things that don't work properly: timestamp is reported as " 0000-00-00 00:00:00 " and ossec2base can't parse the correct "agent" ip when reporting from /var/log/*
e.g. :
** Alert 1157715877.7436: nomail
2006 Sep 08 12:44:37 testbed2 -> /var/log/secure
Rule: 5716 (level 5) -> 'SSHD authentication failed.'
Src IP: ( 10.0.3.1)
User: root
sshd[15796]: Failed password for root from ::ffff:10.0.3.1 port 57468
ssh2
** Alert 1157715877.7133: mail
2006 Sep 08 12:44:37 testbed2 -> /var/log/messages
Rule: 2502 (level 10) -> 'User missed the password more than one
time'
Src IP: ( 0.0.0.0)
User: (none)
sshd(pam_unix)[15794]: 2 more authentication failures; logname= uid=0
euid=0 tty=ssh ruser= rhost= 10.0.3.1 user=root
im running the latest ossec-hids version (server installation) with email notification (so that i can compare results), along with ossec-ui latest version dating 08-Sep-2006 01:10.
syslog: syslogd -m 0 -r
realtime feed: /usr/bin/perl -w /usr/local/bin/ossec2based.pl --conf /etc/ossec2base.conf -d --sensor ossecbase
i don't think i'm missing any important info.
what do you think might be the problem?
./vcorreia
Vitor Correia
Systems Administrator
--
Mobbit Systems
[EMAIL PROTECTED] | Telemóvel: + 351 916 448 025
Avenida do Forte, 8 - 1º Andar - Frente 01 - 2795-503 Carnaxide
Telefone: + 351 21 418 01 40 | Fax: + 351 21 418 01 41
[EMAIL PROTECTED] | www.mobbit.net,-O O(_)) for a better world `-O
