Hi Johnny,
You don't see any message at all at /var/ossec/logs/alerts/alerts.log on the server? Note that ossec by default will only send e-mail for alerts with severity (level) >= 7. Just one failed login is generally level 4 or 5... You can change this value to receive e-mails for low severity events. If you are not getting anything in the alerts log, can you show us your /var/ossec/logs/ossec.log and /var/ossec/etc/ossec.conf from both the server and the agents? In addition to that, in which log file is this message being generated? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/21/06, Johnny Stork <[EMAIL PROTECTED]> wrote:
I just setup ossec on three machines as follows Penguin (RHES4) Installed as "server" Gateway (RHES4) Installed as "agent" Media (CentOS 4.4) Installed as "agent". So far so good, agents and keys all setup as per instructions and when starting ossec on Server1, I get what looks like the correct response and indication of communication with the agents, from the /var/ossec/logs/ossec.log on Penguin, the "Server" install. 2006/09/21 12:30:55 ossec-remoted: Assigning counter for agent Gateway: '0:6480'. 2006/09/21 12:30:55 ossec-remoted: Assigning counter for agent Media: '0:1070'. 2006/09/21 12:30:55 ossec-remoted: Assigning sender counter: 0:1068 Now both Gateway and Media send syslog to Penguin, which is running as the "server". When I try to login to either Gateway or Media via SSH and intentionally use a bad password, the syslog on Penguin shows the correct failures, but this does not seem to be caught by ossec? Have I missed something in the configuration with regards to having the server install as the main syslog monitor? Sep 21 12:47:44 media sshd(pam_unix)[18133]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=somehost.somedomain.ca user=root Any suggestions?
