Hi, On 10/9/07, Carlos Eduardo Pedroza Santiviago <[EMAIL PROTECTED]> wrote: > Hi, > > Below is an output of my sshd logins, its currently an AIX 5.3: > > Oct 9 09:50:40 MACHINE auth|security:info sshd[229596]: Accepted > password for USER from 172.29.14.41 port 55839 ssh2 > > After that, i issue a "sudo su", and then it gets logged as: > > Oct 9 09:50:41 MACHINE auth|security:notice sudo: USER : TTY=pts/22 > ; PWD=/home/USER ; USER=root ; COMMAND=/usr/bin/su > Oct 9 09:50:41 MACHINE auth|security:notice su: from root to root at > /dev/pts/22 > > Could this be added as a standard rule or should i create a customized > version here? > > More information about the system: > > (MACHINE:/var/log)$ uname -a > AIX MACHINE 3 5 00C3541E4C00 > (MACHINE:/var/log)$ oslevel -r > 5300-04 >
Sorry, i forgot to mention that OSSEC console currently doesn't log anything about the successful login. It only reports when there is a failed login, like this one: ** Alert 1191934768.3291914: - syslog,access_control,authentication_failed, 2007 Oct 09 09:59:28 (MACHINE) 172.17.30.44->/var/log/auth.log Rule: 2501 (level 5) -> 'User authentication failure.' Src IP: (none) User: (none) Oct 9 09:59:27 MACHINE auth|security:info syslog: ssh: failed login attempt for UNKNOWN_USER from 172.29.14.41 thank you, -- Carlos Eduardo Pedroza Santiviago http://softwarelivre.net | Passo-a-passo rumo à liberdade!
