What's the issue? That's normal since ossec-wui displays all alert
levels and with a web app tied to a MySQL db for example you're going
to have frequent auth success for web app DB calls.
mysql_rules.xml:
<rule id="50105" level="3">
<if_sid>50100</if_sid>
<regex>^MySQL log: \d+ \S+ \d+ Connect</regex>
<description>Database authentication success.</description>
<group>authentication_success,</group>
</rule>
cheers,
-cnk-
On Tue, Mar 25, 2008 at 3:24 AM, <[EMAIL PROTECTED]> wrote:
>
> Hi
>
> I have configured an ossec agent to read MySQL logs(both error log and
> query log), however, when I add the lines for the "generic query
> log" to the agent ossec.conf I continuously receive "Database
> notification success" on ossec-wui!
> Any help is appreciated.
>
> -siamak
>
>
> 2008 Mar 20 17:32:42 Rule Id: 50105 level: 3
> Location: (zorba) xx.xx.xx.xx->/var/lib/mysql/onion.log
> Database authentication success.
> MySQL log: 080320 16:32:41 7385 Connect [EMAIL PROTECTED] on
>
> 2008 Mar 20 17:32:42 Rule Id: 50105 level: 3
> Location: (zorba) xx.xx.xx.xx->/var/lib/mysql/onion.log
> Database authentication success.
> MySQL log: 080320 16:32:40 7384 Connect [EMAIL PROTECTED] on
>
> 2008 Mar 20 17:32:40 Rule Id: 50105 level: 3
> Location: (zorba) xx.xx.xx.xx->/var/lib/mysql/onion.log
> Database authentication success.
> MySQL log: 080320 16:32:39 7383 Connect [EMAIL PROTECTED] on
>
> ....
>
