Hi Carlos, OSSEC already has parsers for these logs, but they are coming in a non standard syslog format.
We expect: Oct 9 09:50:40 MACHINE sshd[229596]: Accepted password for USER from 172.29.14.41 port 55839 ssh2 While you have: Oct 9 09:50:40 MACHINE auth|security:info sshd[229596]: Accepted password for USER from 172.29.14.41 port 55839 ssh2 Is this something special to your AIX config? Can you change it to the standard format? Any other AIX user in here with more information on this? Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 10/9/07, Carlos Eduardo Pedroza Santiviago <[EMAIL PROTECTED]> wrote: > Hi, > > Below is an output of my sshd logins, its currently an AIX 5.3: > > Oct 9 09:50:40 MACHINE auth|security:info sshd[229596]: Accepted > password for USER from 172.29.14.41 port 55839 ssh2 > > After that, i issue a "sudo su", and then it gets logged as: > > Oct 9 09:50:41 MACHINE auth|security:notice sudo: USER : TTY=pts/22 > ; PWD=/home/USER ; USER=root ; COMMAND=/usr/bin/su > Oct 9 09:50:41 MACHINE auth|security:notice su: from root to root at > /dev/pts/22 > > Could this be added as a standard rule or should i create a customized > version here? > > More information about the system: > > (MACHINE:/var/log)$ uname -a > AIX MACHINE 3 5 00C3541E4C00 > (MACHINE:/var/log)$ oslevel -r > 5300-04 > > thank you, > -- > Carlos Eduardo Pedroza Santiviago > http://softwarelivre.net | Passo-a-passo rumo à liberdade! >
