Okay, how about "First time user logged in, during log cycle" or
something, that is more informative. ;-)
Daniel Cid wrote:
It is not a bug, but part of ossec :) Basically, this rule will fire
whenever
ossec sees a new login from a specific username on a specific
log. If you look at /var/ossec/queue/fts/fts-queue you will see all
entries
in there.
Mine has the following for example:
sshd dcid /var/log/authlog
sshd dcid (slack) 192.168.2.32->/var/log/messages
sshd meirm /var/log/authlog
*If you reinstall ossec these entries will go away, so you will get these
messages all over again.
*Note that even if you logged 1,000 times to the box before, if
ossec was not installed it will not know about them.
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/29/06, Forrest Aldrich <[EMAIL PROTECTED]> wrote:
This has also been a randomly recurring bug...
It is, of course, not the first time I logged in - it's more like the
1,000,000th ;-)
I also took note that the active response seems to work better on Linux
than it does on *BSD.
Received From: mail->/var/log/auth.log
Rule: 10100 fired (level 4) -> "First time user logged in."
Portion of the log(s):
sshd[31491]: Accepted keyboard-interactive/pam for forrie from
192.168.1.1
port 61712 ssh2
--END OF NOTIFICATION
