I have installed OSSEC in server/agents mode. In the agent I see the file /var/ossec/logs/active-responses.log and in the servar I look into the file /var/ossec/logs/alerts/alerts.log but I can't find any agent event-id in this server log :(
El vie, 19-10-2007 a las 10:09 -0400, McClinton, Rick escribió: > You can take the event id from active-responses.log and look it up in > alerts.log. > > Active-responses.log: > > Fri Oct 19 08:23:37 EDT 2007 /var/ossec/active-response/bin/host-deny.sh > delete - 200.56.139.214 1192795987.2901765 5712 > > 1192795987.2901765 is the ID. In alerts.log: > > ** Alert 1192795987.2901765: - syslog,sshd,invalid_login, > 2007 Oct 19 08:13:07 bro->/var/log/secure > Rule: 5710 (level 5) -> 'Attempt to login using a non-existent user' > Src IP: 200.56.139.214 > User: (none) > Oct 19 08:13:07 bro sshd[26650]: Illegal user william from 200.56.139.214 > > > Hope this helps, > Rick > > > > -----Original Message----- > > From: [email protected] [mailto:[EMAIL PROTECTED] On > > Behalf Of Paco Avila > > Sent: Friday, October 19, 2007 4:18 AM > > To: [email protected] > > Subject: [ossec-list] How can I see why a IP has been bloqued? > > Importance: Low > > > > > > I can see an active response log > > in /var/ossec/logs/active-responses.log, but I can't see why an IP has > > been bloqued. > > > > -- > > GIT CONSULTORS > > > > www.git.es > > > > Tel: +34 971 498 310 > > Fax: +34 971 496 189 > > > > C/ Francesc Rover, 2B. > > 07003 Palma de Mallorca - Illes Balears (España) > -- GIT CONSULTORS www.git.es Tel: +34 971 498 310 Fax: +34 971 496 189 C/ Francesc Rover, 2B. 07003 Palma de Mallorca – Illes Balears (España)
