I just setup ossec on three
machines as follows
Penguin (RHES4) Installed as
"server"
Gateway (RHES4) Installed as "agent"
Media (CentOS 4.4) Installed as "agent".
Gateway (RHES4) Installed as "agent"
Media (CentOS 4.4) Installed as "agent".
So far so good, agents and
keys all setup as per instructions and when starting ossec on Server1, I get
what looks like the correct response and indication of communication with the
agents, from the /var/ossec/logs/ossec.log on Penguin, the "Server"
install.
2006/09/21 12:30:55
ossec-remoted: Assigning counter for agent Gateway:
'0:6480'.
2006/09/21 12:30:55 ossec-remoted: Assigning counter for agent Media: '0:1070'.
2006/09/21 12:30:55 ossec-remoted: Assigning sender counter: 0:1068
2006/09/21 12:30:55 ossec-remoted: Assigning counter for agent Media: '0:1070'.
2006/09/21 12:30:55 ossec-remoted: Assigning sender counter: 0:1068
Now both Gateway and Media
send syslog to Penguin, which is running as the "server". When I try to login to
either Gateway or Media via SSH and intentionally use a bad password, the syslog
on Penguin shows the correct failures, but this does not seem to be caught by
ossec? Have I missed something in the configuration with regards to having the
server install as the main syslog monitor?
Sep 21 12:47:44 media
sshd(pam_unix)[18133]: authentication failure; logname= uid=0 euid=0 tty=ssh
ruser= rhost=somehost.somedomain.ca user=root
Any suggestions?
