You can take the event id from active-responses.log and look it up in alerts.log.
Active-responses.log: Fri Oct 19 08:23:37 EDT 2007 /var/ossec/active-response/bin/host-deny.sh delete - 200.56.139.214 1192795987.2901765 5712 1192795987.2901765 is the ID. In alerts.log: ** Alert 1192795987.2901765: - syslog,sshd,invalid_login, 2007 Oct 19 08:13:07 bro->/var/log/secure Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user' Src IP: 200.56.139.214 User: (none) Oct 19 08:13:07 bro sshd[26650]: Illegal user william from 200.56.139.214 Hope this helps, Rick > -----Original Message----- > From: [email protected] [mailto:[EMAIL PROTECTED] On > Behalf Of Paco Avila > Sent: Friday, October 19, 2007 4:18 AM > To: [email protected] > Subject: [ossec-list] How can I see why a IP has been bloqued? > Importance: Low > > > I can see an active response log > in /var/ossec/logs/active-responses.log, but I can't see why an IP has > been bloqued. > > -- > GIT CONSULTORS > > www.git.es > > Tel: +34 971 498 310 > Fax: +34 971 496 189 > > C/ Francesc Rover, 2B. > 07003 Palma de Mallorca - Illes Balears (EspaƱa)
