Hi, I created rule for OpenVPN log with a "bad word" "TLS Error: TLS
handshake failed". I'm getting a mail alert like this:
OSSEC HIDS Notification.
2009 Dec 01 13:25:12
Received From: (OPENVPN) 192.168.30.200->/var/log/messages
Rule: 1009 fired (level 10) -> "Certificate not valid/expired or
connection error"
Portion of the log(s):
Dec 1 13:23:15 thunderstruck openvpnserver[813]: 82.42.227.22:1194 TLS
Error: TLS handshake failed
--END OF NOTIFICATION
I want to extract IP from this portion of log (in this case
82.42.227.22) and block it by Active Response :)
