It is not a bug, but part of ossec :) Basically, this rule will fire whenever ossec sees a new login from a specific username on a specific log. If you look at /var/ossec/queue/fts/fts-queue you will see all entries in there. Mine has the following for example:
sshd dcid /var/log/authlog sshd dcid (slack) 192.168.2.32->/var/log/messages sshd meirm /var/log/authlog *If you reinstall ossec these entries will go away, so you will get these messages all over again. *Note that even if you logged 1,000 times to the box before, if ossec was not installed it will not know about them. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/29/06, Forrest Aldrich <[EMAIL PROTECTED]> wrote:
This has also been a randomly recurring bug... It is, of course, not the first time I logged in - it's more like the 1,000,000th ;-) I also took note that the active response seems to work better on Linux than it does on *BSD. Received From: mail->/var/log/auth.log Rule: 10100 fired (level 4) -> "First time user logged in." Portion of the log(s): sshd[31491]: Accepted keyboard-interactive/pam for forrie from 192.168.1.1 port 61712 ssh2 --END OF NOTIFICATION
