Hi, Just an update. Now looking at the alert.log I have seen that Src ip is not written. We are using public key auth to connect to servers is there any reasonf for src ip not to be written to alert log?
** Alert 1269253279.90719: - pam,syslog,authentication_success, 2010 Mar 22 11:21:19 (server) yyyy->/var/log/secure Rule: 5501 (level 3) -> 'Login session opened.' Src IP: (none) User: (none) Mar 22 11:21:18 server sshd[4012]: pam_unix(sshd:session): session opened for user xxxx by (uid=0) Thanks Özgür Özdemircili http://www.acikkod.org Code so clean you could eat off it On Mon, Mar 22, 2010 at 10:11 AM, Ozgur Ozdemircili < [email protected]> wrote: > Hi, > I still seem to get the same messages: > > 2010 Mar 22 10:08:15 Rule Id: > 5502<http://www.ossec.net/wiki/index.php/Rule:5502> level: > 3 > Location: (server) yyyy->/var/log/secure > Login session closed. > Mar 22 10:08:13 server sshd[5060]: pam_unix(sshd:session): session closed > for user xxxx > > 2010 Mar 22 10:08:15 Rule Id: > 5501<http://www.ossec.net/wiki/index.php/Rule:5501> level: > 3 > Location: (server) 94.125.143.164->/var/log/secure > Login session opened. > Mar 22 10:08:13 server sshd[5060]: pam_unix(sshd:session): session opened > for user xxxx by (uid=0) > > 2010 Mar 22 10:08:13 Rule Id: > 5502<http://www.ossec.net/wiki/index.php/Rule:5502> level: > 3 > Location: (server) yyyy->/var/log/secure > Login session closed. > Mar 22 10:08:13 server sshd[5034]: pam_unix(sshd:session): session closed > for user xxxx > > 2010 Mar 22 10:08:13 Rule Id: > 5501<http://www.ossec.net/wiki/index.php/Rule:5501> level: > 3 > Location: (server) yyyy->/var/log/secure > Login session opened. > Mar 22 10:08:13 server sshd[5034]: pam_unix(sshd:session): session opened > for user xxxx by (uid=0) > > I need somehow not to receive alerts if the user xxx is conecting from ip > yyyy. > > Can be done? > > Thanks > Özgür Özdemircili > http://www.acikkod.org > Code so clean you could eat off it > > > On Wed, Mar 17, 2010 at 9:48 PM, Wim Remes <[email protected]> wrote: > >> Ozgur, >> >> this ruletree should get you there if I understood your question correctly >> : >> >> <rule id="100105" level="3"> >> <if_level>3</if_level> >> <user>xxxx</user> >> <description>Ignoring user xxxx</description> >> </rule> >> >> <rule id="100107" level="0"> >> <if_sid>100105</if_sid> >> <srcip>yyyy</srcip> >> <description>ignoring user xxxx from host yyyy</description> >> </rule> >> >> KR, >> W >> >> On 17 Mar 2010, at 16:39, Ozgur Ozdemircili wrote: >> >> Hi, >> >> As a part of our monitorization system we have a monitorization server >> that is accessing the servers using xxxx user.Every minute this users are >> entering the servers and checking the system healh. Until here everything >> ok. >> As a part of cleaning the alerts Im receiving from ossec I added the >> following parameters to local_rules.xml, which ignores user xxxx and ip >> yyyy. >> >> --- Ignore user xxxx -- >> >> <group name="local"> >> <rule id="100105" level="0"> >> <if_level>3</if_level> >> <user>xxxx</user> >> <description>Ignoring user xxxx</description> >> </rule> >> >> >> <rule id="100106" level="0"> >> <if_level>3</if_level> >> <match>xxxx</match> >> <description>Ignoring user xxxx</description> >> </rule> >> </group> >> >> >> -- Ignore ip yyyy -- >> >> <group name="local"> >> <rule id="100107" level="0"> >> <if_level>3</if_level> >> <srcip>yyyy</srcip> >> <description>yyyy</description> >> </rule> >> >> >> <rule id="100108" level="0"> >> <if_level>3</if_level> >> <match>yyyy</match> >> <description>yyyy</description> >> </rule> >> </group> >> >> >> That working just fine. Now the question is. How can I ignore alerts IF >> the xxxx user is accessing from yyyy host ONLY! In other words if someone >> from different ip users xxxx user to enter the servers, I want to get >> alerts. >> >> Hope it was informative enough. >> >> Thanks >> >> >> >> Özgür Özdemircili >> http://www.acikkod.org >> Code so clean you could eat off it >> >> >> > To unsubscribe from this group, send email to ossec-list+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
