You need ossec v2.0 to have ossec-reported there by default. To create reports based on the src ip, try:
# cat /var/ossec/logs/alerts/alerts.log | /var/ossec/bin/ossec-reportd -f group authentication_success -r user srcip Related entries for 'Username': ------------------------------------------------ dcid |4 | srcip: '192.168.2.15' srcip: '192.168.1.2' root |2 | srcip: '192.168.1.1' root |1 | srcip: '(none)' It will show the top entries for srcip, locations, etc related to every authentication success. It will also show for each user name the source ips that it logged in from (that's what the -r user srcip does). Now, if you switch to "-r srcip user", you will see for each source ip, which user logged in. So, in my box here, if I do a monthly report of all the authentication failures (mostly due to sshd brute forces), I get: # zcat /var/ossec/logs/alerts/2009/Jan/*.gz | /var/ossec/bin/ossec-reportd -f group authentication_failed -r srcip user -r user srcip -r location srcip .. root |389 | srcip: '92.62.100.6' srcip: '202.122.19.23' srcip: '122.193.0.164' srcip: '210.243.58.214' srcip: '217.172.178.126' srcip: '202.134.107.245' srcip: '91.200.51.86' srcip: '204.215.65.203' srcip: '202.108.29.9' srcip: '218.22.67.123' srcip: '69.64.47.30' srcip: '221.130.197.204' srcip: '190.169.254.32' srcip: '190.169.254.18' srcip: '85.17.207.237' srcip: '203.94.243.223' srcip: '116.228.234.36' srcip: '192.168.2.15' srcip: '140.127.198.18' srcip: '122.193.4.115' srcip: '61.164.109.12' srcip: '201.116.17.162' srcip: '201.29.129.14' srcip: '61.164.112.27' srcip: '83.103.223.10' srcip: '117.28.224.71' srcip: '38.108.32.213' srcip: '204.11.236.6' srcip: '121.11.171.89' srcip: '64.251.31.151' srcip: '61.138.177.91' srcip: '222.73.49.83' srcip: '121.241.242.20' srcip: '140.127.168.2' srcip: '60.199.206.253' srcip: '122.200.105.83' srcip: '200.35.151.178' srcip: '207.150.183.26' srcip: '130.15.26.78' srcip: '200.30.136.146' srcip: '190.66.8.156' srcip: '202.109.114.147' srcip: '221.130.193.169' nobody |14 | srcip: '203.94.243.223' srcip: '140.127.198.18' srcip: '61.164.109.12' srcip: '61.164.112.27' srcip: '122.200.105.83' srcip: '202.109.114.147' bin |4 | srcip: '91.196.171.237' So you can see that the only user names tried were root, nobody and bin from all these ips... Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Wed, Feb 18, 2009 at 5:23 PM, Reggie Griffin <[email protected]> wrote: > > Does anyone have some advice on creating reports based upon SRC IP? I > looked back at some > entries in the mailing list regarding ossec-reportd, but I do not have > that executable. I poked around > in the src/monitord directory, and I see that report.c is there. Running > ossec-monitord -h does not > show any options for creating reports. > > -Reggie >
