about the date problem, check
and check :( still dunno what to do, but i'll get there.
./vcorreia
Meir Michanie wrote:
latest snapshot from riunx have same files that cvs of
ossec-hids/contrib/...
about your date problem. See that you have the logs under Sep and that
you r running latest snapshot.
On 9/11/06, Vitor Correia <[EMAIL PROTECTED]>
wrote:
I understand that ossec2base
has been renamed to ossec2mysql;
in what ways dos this affect th einstallation procedure? Are the *.pl
files still inside ossec-ui-****** @ http://www.riunx.com/public
or are
they inside ossec-hids**** @ ossec.net?
i'm still getting the wrong timestamp and ip, it's driving me nuts :)
do you think the architecture i've implemented (see below) is ok or
prone to "errors"?
./vcorreia
Meir Michanie wrote:
I posted a fix, inside ossec2mysql (ex ossec2base) the
month should say Sep and not Set
On 9/8/06, Vitor
Correia <
[EMAIL PROTECTED]> wrote:
hello Meir and everyone,
as promised i've setup a new testbed where i have a central logging
server via syslogd (-r) and a bunch of other workstations reporting
their syslogs to that server. all is well and i've even managed to
start writing down installation instructions :)
now, there are two things that don't work properly: timestamp is
reported as " 0000-00-00 00:00:00 " and ossec2base can't parse
the correct "agent" ip when reporting from /var/log/*
e.g. :
** Alert 1157715877.7436: nomail
2006 Sep 08 12:44:37 testbed2 -> /var/log/secure
Rule: 5716 (level 5) -> 'SSHD authentication failed.'
Src IP: (
10.0.3.1)
User: root
sshd[15796]: Failed password for root from ::ffff:10.0.3.1 port 57468
ssh2
** Alert
1157715877.7133: mail
2006 Sep 08 12:44:37 testbed2 -> /var/log/messages
Rule: 2502 (level 10) -> 'User missed the password more than one
time'
Src IP: (
0.0.0.0)
User: (none)
sshd(pam_unix)[15794]: 2 more authentication failures; logname= uid=0
euid=0 tty=ssh ruser= rhost=
10.0.3.1 user=root
im running the latest
ossec-hids version (server installation) with email notification (so
that i can compare results), along with ossec-ui latest version dating
08-Sep-2006 01:10.
syslog: syslogd -m 0 -r
realtime feed: /usr/bin/perl -w /usr/local/bin/ossec2based.pl --conf
/etc/ossec2base.conf -d --sensor ossecbase
i don't think i'm missing any important info.
what do you think might be the problem?
./vcorreia
Vitor Correia
Systems Administrator
--
Mobbit Systems
[EMAIL PROTECTED]
| Telemóvel: + 351 916 448 025
Avenida do Forte, 8 - 1º Andar - Frente 01 - 2795-503 Carnaxide
Telefone: + 351 21 418 01 40 | Fax: + 351 21 418 01 41
[EMAIL PROTECTED] | www.mobbit.net
,-O
O(_)) for a better world
`-O
Vitor Correia
Systems Administrator
--
Mobbit Systems
[EMAIL PROTECTED]
| Telemóvel: + 351 916 448 025
Avenida do Forte, 8 - 1º Andar - Frente 01 - 2795-503 Carnaxide
Telefone: + 351 21 418 01 40 | Fax: + 351 21 418 01 41
[EMAIL PROTECTED] | www.mobbit.net
,-O
O(_)) for a better world
`-O
Vitor Correia
Systems Administrator
--
Mobbit Systems
[EMAIL PROTECTED] | Telemóvel: + 351 916 448 025
Avenida do Forte, 8 - 1º Andar - Frente 01 - 2795-503 Carnaxide
Telefone: + 351 21 418 01 40 | Fax: + 351 21 418 01 41
[EMAIL PROTECTED] | www.mobbit.net
,-O
O(_)) for a better world
`-O
|
begin:vcard
fn:Vitor Correia
n:Correia;Vitor
org:Mobbit Systems
adr;quoted-printable:;;Av. do Forte, N=C2=BA 8 - Andar O1;;Linda-a-Velha;2795-503;Portugal
email;internet:[EMAIL PROTECTED]
title:Sysadmin
tel;work:+351 21 418 01 40
tel;fax:+351 21 418 01 41
tel;cell:+351 91 644 80 25
x-mozilla-html:TRUE
url:http://www.mobbit.net
version:2.1
end:vcard
