The level of alerting seems to be the problem (a failed login with level 4 did send me an email now), but just to be safe, and to ensure I actually have things configured properly considering that all other agents send their syslog to the server (Penguin), could I trouble you to check the settings? Attached are the files
server.ossec.log (log file from Penguin...server install) server.ossec.conf (ossec.conf from Penguin...server install) agent.ossec.conf (ossec.conf from Media.....one of the agent installs) > -----Original Message----- > From: Daniel Cid [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 21, 2006 1:02 PM > To: [email protected] > Subject: [ossec-list] Re: Remote syslog configuration question > > > Hi Johnny, > > You don't see any message at all at > /var/ossec/logs/alerts/alerts.log on the server? > Note that ossec by default will only send e-mail for alerts > with severity (level) >= 7. Just one failed login is > generally level 4 or 5... > You can change this value to receive e-mails for low severity events. > > If you are not getting anything in the alerts log, can you > show us your /var/ossec/logs/ossec.log and > /var/ossec/etc/ossec.conf from both the server and the > agents? In addition to that, in which log file is this > message being generated? > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On 9/21/06, Johnny Stork <[EMAIL PROTECTED]> wrote: > > > > > > I just setup ossec on three machines as follows > > > > > > Penguin (RHES4) Installed as "server" > > Gateway (RHES4) Installed as "agent" > > Media (CentOS 4.4) Installed as "agent". > > > > > > So far so good, agents and keys all setup as per > instructions and when > > starting ossec on Server1, I get what looks like the > correct response > > and indication of communication with the agents, from the > > /var/ossec/logs/ossec.log on Penguin, the "Server" install. > > > > > > 2006/09/21 12:30:55 ossec-remoted: Assigning counter for > agent Gateway: > > '0:6480'. > > 2006/09/21 12:30:55 ossec-remoted: Assigning counter for > agent Media: > > '0:1070'. > > 2006/09/21 12:30:55 ossec-remoted: Assigning sender counter: 0:1068 > > > > > > Now both Gateway and Media send syslog to Penguin, which is > running as > > the "server". When I try to login to either Gateway or > Media via SSH > > and intentionally use a bad password, the syslog on Penguin > shows the > > correct failures, but this does not seem to be caught by > ossec? Have I > > missed something in the configuration with regards to having the > > server install as the main syslog monitor? > > > > > > Sep 21 12:47:44 media sshd(pam_unix)[18133]: authentication > failure; > > logname= uid=0 euid=0 tty=ssh ruser= rhost=somehost.somedomain.ca > > user=root > > > > > > Any suggestions? > >
server.ossec.log
Description: Binary data
agent-ossec.conf
Description: Binary data
server.ossec.conf
Description: Binary data
